You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Ramon Wang <rw...@bitfone.com> on 2006/08/03 10:32:17 UTC
答复: applet needing https access to a servlet that requires aclientcertificate
Hi,Oleg do you mean that HttpClient can not deal with SSL, it's just designed for normal http connection that use Socket? Except your answer, Thanks.
rwang@bitfone.com
On Thu, 2006-08-03 at 09:39 +0800, leung cc wrote:
> >From: Oleg Kalnichevski
> >Reply-To: "HttpClient User Discussion"
> >To: HttpClient User Discussion
> >Subject: Re: applet needing https access to a servlet that requires
> aclient certificate
> >Date: Wed, 02 Aug 2006 11:12:58 +0200
> >
...
> >
> >HttpClient is known to have been used successfully in applets. I
> >personally try to stay away from applets at all costs, so I can not give
> >a first-hand account of that.
>
> Firstly, thank you very much for replying. I think you are the man himself
> who made httpclient, right?
>
I am just one of many contributors.
> I'm in too deep now and can't abandon the applet approach now, too bad. :(
>
> I've heard about "the possibility" even after a short while in this mail
> list and that means some hope for me, at least. But I'm not sure by how
> much would my servlet's requiring a client certificate further complicate
> the picture. I did some research and it now seems I can make use of your
> goodself's AuthSSLProtocolSocketFactory in order to specify a client
> certificate and that's assuming I would go the JSSE route and not reusing
> the browser's https connection, which the current java plugin is allowing
> me to do. That would be soooo painful to give up on since I imagine then I
> would need to sign my applet and/or mess around with applet permissions
> etc.
>
As far as I know there is simply no way to trigger client SSL
authentication once connection has been established. You can either
perform client authentication in the browser while the connection is
being negotiated or you have to open a new connection from the applet
sandbox with all the design consequences that entail.
> > > I don't think the message I got (on the java plugin console) would be
> of
> > > much use, but let
> > > me quote a bit anyway:
> > >
> > > java.net.SocketException: Default SSL context init failed: failed to
> > > decrypt safe contents
> > > entry: javax.crypto.BadPaddingException: Given final block not properly
>
> > > padded
> > > at javax.net.ssl.DefaultSSLSocketFactory.createSocket(Unknown Source)
> > > at
> >
> >This is clearly a problem with the SSL layer and not with HttpClient.
> >
> >Also consider getting your code to work outside the applet in a
> >standalone application and once you are sure the SSL settings are sane,
> >try moving your code back to the applet and see what happens.
> >
> >Running your code with SSL debug traces on may also be of some help
> >
> >-Djavax.net.debug=ssl,handshake,data,trustmanager
>
> Think I am in one of those situations where this "get it running as an app
> first" debugging strategy won't work. To do that would mean no brower https
> connection to use - need to go jsse, using your goodself's
> AuthSSLProtocolSocketFactory and the only good thing about running it as an
> app is that I can delay worrying about the applet's sandbox.
>
> There, I am about to cry out my question to everyone now: Has anyone done
> any https access in an applet with httpclient whilst using the browser's
> https channel - i.e. not needing to obtain socket i/o permissions for the
> applet? A success story even when the server side doesn't require a client
> certificate would be very encouraging.
>
This cannot be done as HttpClient cannot be attached to an arbitrary
HttpUrlConnection. HttpClient is designed to work directly with
java.net.Sockets. I hope this answers your question.
Oleg
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
Re: applet needing https access to a servlet that requires aclientcertificate
Posted by Roland Weber <ht...@dubioso.net>.
Ramon Wang wrote:
> Hi,Oleg do you mean that HttpClient can not deal with SSL,
No he doesn't. A simple look at our website should have
told you that HttpClient supports SSL:
http://jakarta.apache.org/commons/httpclient/sslguide.html
> it's just designed for normal http connection that use Socket?
HttpClient implements HTTP on top of sockets. That's plain
sockets, or SSL sockets, but sockets:
http://java.sun.com/j2se/1.4.2/docs/api/java/net/Socket.html
HttpsURLConnection is not a socket, it is a connection that
implements HTTP itself and provides communication on top of
HTTP. We can't implement HTTP on top of HTTP. That means we
can't use the builtin features of HttpsURLConnection or
HttpURLConnection, whether that is a browser's certificate
management as in this case, or NTLM with Windows credentials,
which is more often requested.
In order to use HttpClient, you have to be able to establish
a socket connection to the server or proxy. Plain or SSL,
with or without client authentication. Once you've got the
socket, HttpClient can talk HTTP over it.
cheers,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org