Java Tip 96: Use HTTPS in your Java client code

Find out how to use the HTTPS protocol with the standard URL class

By Matt Towers, JavaWorld.com, 06/16/00

Page 2 of 3

   URL url = new URL("https://[your server]");

If you are connecting to the standard SSL port, 443, you have the option of appending the port number to the URL string. However, if your Web server is using a nonstandard port for SSL traffic, you'll need to append the port number to your URL string like this:

   URL url = new URL("https://[your server]:7002");

One caveat of that technique concerns a URL that refers to a server that has an unsigned or invalid SSL certificate. In that case an attempt to retrieve the input or output stream from the URL's connection object will throw an SSLException with the message "untrusted server cert chain." If the server has a valid, signed certificate, no exception will be thrown.

   URL url = new URL("https://[your server]");
   URLConnection con = URL.openConnection();
   //SSLException thrown here if server certificate is invalid
   con.getInputStream();

The obvious solution to that problem is to get signed certificates for your server. However, one of the following URLs may also provide a solution: "Java Secure Socket Extension 1.0.2 Changes" (Sun Microsystems) or Sun's Java Developer Connection forum.

Microsoft JView

Due in part to the ongoing dispute between Microsoft and Sun over the licensing of Java for use on Windows platforms, the Microsoft JView VM is currently only JDK 1.1-compliant. Therefore, the technique described above will not work for clients running in JView, as the JSSE requires at least a 1.2.2-compatible VM. Conveniently enough, however, Microsoft provides an HTTPS-enabled stream handler as part of the com.ms.net.wininet package.

You can set the stream handler in a JView environment by calling a single static method on the URL class:

    URL.setURLStreamHandlerFactory(new
    com.ms.net.wininet.WininetStreamHandlerFactory());

    URL url = new URL("https://[your server]");

There are two caveats associated with that technique. First, according to the JDK documentation, the setURLStreamHandlerFactory method may be called at most once in a given VM. Subsequent attempts to call that method will throw an Error. Second, as is the case with the 1.2 VM solution, you must be cautious when using a URL that refers to a server with an unsigned or invalid SSL certificate. As with the previous case, problems occur when an attempt is made to retrieve the input or output stream from the URL's connection object. However, instead of throwing an SSLException, the Microsoft stream handler throws a standard IOException.

    URL url = new URL("https://[your server]");
    URLConnection con = url.openConnection();
    //IOException thrown here if server certificate is invalid
    con.getInputStream();

Again, the obvious solution to that problem is to attempt HTTPS communication only with servers that have a signed, valid certificate. However, JView offers one other option. Immediately prior to retrieving the input or output stream from the URL's connection object, you can call setAllowUserInteraction(true) on the connection object. That will cause JView to display a message warning the user that the server's certificates are invalid, but giving him or her the option to proceed anyway. Keep in mind, however, that such messages may be reasonable for a desktop application, but having dialog boxes appear on your server for anything other than debugging purposes is probably unacceptable.