You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by dk...@hotmail.com on 2006/08/01 11:26:02 UTC
https access to servlet requiring client certificate
I've an applet that needs to access a servlet (well, actually a jsp page) that requires a client certificate. I've had success with Sun's standard URL + HttpURLConnection classes but since I'm getting "connection timed out: connect" problems I am seeking to set the timeout value longer. After some searching, it seemed to that there's no way to do such a thing with Sun's classes and that I should perhaps try Apache's httpclient if I must set the timeout value and so I here I am.
Needless to say, I stumped on a problem right away, which I kind of expected because I suspected httpclient wouldn't be able to use the browser's https connection without me doing some tricky things.
So, what should I do? Surely somebody in here must have used httpclient in an applet to do some https access, right?
I don't think the message I got (on the java plugin console) would be of much use, but let me quote a bit anyway:
java.net.SocketException: Default SSL context init failed: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
at javax.net.ssl.DefaultSSLSocketFactory.createSocket(Unknown Source)
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:81)
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:126)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:386)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
...
--
This message was sent on behalf of dksleung@hotmail.com at openSubscriber.com
http://www.opensubscriber.com/messages/httpclient-dev@jakarta.apache.org/topic.html
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org
Re: Re: https access to servlet requiring client certificate
Posted by dk...@hotmail.com.
-- Roland Weber wrote :
Well, you could start with registering a socket factory for the https
protocol. You're probably doing that, but it's not in the code you posted.
Next, you may want to release the connection EVEN IN CASE OF AN ERROR.
I don't see that either. Re-using the HttpClient object is also a good
idea, so you are not leaking connections and running into limits of the
JSSE provider (or other components). None of this is likely to cause
the problem you are reporting, but why take a chance?
Then let's start with some of the things you didn't mention. Are you
signing the applet and all JARs with it in order to run it? Or are you
installing the libraries locally on the client? Is there a proxy
involved - I've asked that one before. When registering the https
protocol, are you specifying the correct default port? Or does the
APP_HOME_URL_PFX specify a port number? That's also not in the code
you posted.
Commons logging comes with a SimpleLog implementation that writes
log output to System.out. That is allowed even for applets.
If you mean like using Oleg's AuthSSLProtocolSocketFactory then no I'm not doing something like that at the moment. In fact, I've just found out about it yesterday and will perhaps try it out, even if that means I will be in effect doing my own socket i/o in the applet and entailing signing the applet and/or messing around with permissions. Well, my applet in its previous form (using Sun's URL + HttpURLConnection, no commons-httpclient) required none of that - no signing, no permission config, no socketfactory designating, just this simple series of calls: make an URL obj -> HttpURLConnection.openConnection() -> HttpURLConnection.getOutputStream(), and write some plain text to it -> HttpURLConnection.getInputStream() and read back the answers from my plain text speaking client cert requiring servlet.
The java plugin's (you know, that sun product which allows applets to run within the confines of a browser) version that we use is either 1.4 or 1.5. It is quite simple in terms of my own coding but I know the plugin is doing a lot of work behind the scene to let me use the browser's https channel. In plugin 1.5 (quite new), it will even access the browser's store of client certificates - the user needs to choose (even when there's only ONE qualifying), but we don't need to install one specifically for the plugin or somewhere on the user's pc.
Sorry about not answering your earlier questions specifically. No, no proxy is involved. In this new version of my applet where I'm using httpclient, I've commons-httpclient-3.0.1.jar, commons-logging.jar (sorry, maybe I changed the jar filename to not include a version number, silly me!), commons-codec-1.3.jar expanded (in a directory tree of org/apache/...) and included in my applet's jar. That should be good because I'm not getting any class not found errors.
You advice about writing clean and safe code is noted and in the real thing I assure you I've or will take care of it - well, in a way, since I can certainly improve it in terms of cleaness and robustness, surely.
--
This message was sent on behalf of dksleung@hotmail.com at openSubscriber.com
http://www.opensubscriber.com/message/httpclient-dev@jakarta.apache.org/4589747.html
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org
Re: https access to servlet requiring client certificate
Posted by Roland Weber <ht...@dubioso.net>.
Hi
dksleung@hotmail.com wrote:
> As for the code itself, it's actually quite simple but it maybe useful
> for you folks to see (well, it comes after this paragraph). Now my
> million dollar question is this, does one have to do any tricky things
> to get httpclient working with https URLs in an applet?
Well, you could start with registering a socket factory for the https
protocol. You're probably doing that, but it's not in the code you posted.
Next, you may want to release the connection EVEN IN CASE OF AN ERROR.
I don't see that either. Re-using the HttpClient object is also a good
idea, so you are not leaking connections and running into limits of the
JSSE provider (or other components). None of this is likely to cause
the problem you are reporting, but why take a chance?
Then let's start with some of the things you didn't mention. Are you
signing the applet and all JARs with it in order to run it? Or are you
installing the libraries locally on the client? Is there a proxy
involved - I've asked that one before. When registering the https
protocol, are you specifying the correct default port? Or does the
APP_HOME_URL_PFX specify a port number? That's also not in the code
you posted.
Commons logging comes with a SimpleLog implementation that writes
log output to System.out. That is allowed even for applets.
cheers,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org
Re: Re: https access to servlet requiring client certificate
Posted by dk...@hotmail.com.
Thank you much Roland for the prompt reply. Well, I think the server side should be ok since before this switch to commons-httpclient I had no problem with the URL -> HttpURLConnection.openConnection() -> conn.getOutputStream() route. And funny you should mention logging because it was what I feared most to touch on as I've been wondering in the context of an applet where the logs should go and how do I dictate that, so I simply left it and hoped for the best. But I will try to make use of logs and see if I can spot anything.
As for the code itself, it's actually quite simple but it maybe useful for you folks to see (well, it comes after this paragraph). Now my million dollar question is this, does one have to do any tricky things to get httpclient working with https URLs in an applet?
HttpClient httpClnt = new HttpClient();
httpClnt.getParams().setParameter( "http.socket.timeout",
new Integer( 60000 ) );
PostMethod poster = new PostMethod( Constants.APP_HOME_URL_PFX +
"/myPlainTextInputAndAnswering.jsp" );
RequestEntity rqst =
new StringRequestEntity( lotInfoRqstLn, "text/plain", "iso-8859-1" );
poster.setRequestEntity( rqst );
BufferedReader srvlRsp = null;
int respCode = 0;
try {
respCode = httpClnt.executeMethod( poster );
if (respCode == 200) {
srvlRsp = new BufferedReader(
new InputStreamReader( poster.getResponseBodyAsStream() ) );
}
}
catch (IOException ioe) {
// the error I quoted was caught here
}
--
This message was sent on behalf of dksleung@hotmail.com at openSubscriber.com
http://www.opensubscriber.com/message/httpclient-dev@jakarta.apache.org/4579759.html
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org
Re: https access to servlet requiring client certificate
Posted by Roland Weber <ht...@dubioso.net>.
dksleung@hotmail.com wrote:
> I've an applet that needs to access a servlet (well, actually a jsp page) that requires a client certificate.
>
> java.net.SocketException: Default SSL context init failed: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
> at javax.net.ssl.DefaultSSLSocketFactory.createSocket(Unknown Source)
This indicates that either the server is not implementing SSL correctly.
Or, more likely, that the response is not SSL because the server is not
picking up the SSL handshake and instead replies plain text.
Are there any proxies in the way which you failed to configure for
HttpClient? Connecting to the wrong port? Try enabling the HttpClient
context log, to see what parameters HttpClient uses when establishing
the connection:
http://jakarta.apache.org/commons/httpclient/logging.html
hope that helps,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-dev-help@jakarta.apache.org