ONJava.com -- The Independent Source for Enterprise Java
oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

Secure Your Sockets with JSSE
Pages: 1, 2, 3, 4, 5

Securing Java Clients

Your Java applications may also require clients to support SSL. Client-side SSL is even easier to support than server-side SSL. Listing 7 presents a basic text-based Java browser. You can use it for browsing text-based Web pages. For example, if you enter java Browser http://onjava.com, you'll get a ton of HTML markup.

Listing 8 presents SecureBrowser, which extends Browser to provide SSL support. You can run SecureBrowser against a site that implements SSL, such as Sun's secure web site. For example, java SecureBrowser https://www.sun.com will establish a secure connection to Sun's web page and download a lot of markup securely.

The trick to implementing SSL on the client is to register JSSE and set the java.protocol.handler.pkgs system property so that JSSE automatically is used to handle https URLs.

Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());

In this Article:

The Java Secure Socket Extension

Downloading and Installing JSSE

Listing 1. The ShowJavaHome program.

Certificates, Keystores, and Truststores

Listing 3. The ShowTrustStore program.

Generating a Server Certificate

A Secure Web Server

Compiling and Running SecureServer

How SecureServer Works

Listing 4. A simple HTTP server.

Listing 5. Extending the HTTP sever with SSL support.

Listing 6. A sample HTML file (index.htm).

Securing Java Clients

Listing 8. A Browser that Supports Basic SSL

Performing Mutual Authentication

Creating a Client Certificate

Modifying SecureServer and SecureBrowser

Seeing it in Action

You may wonder what happens when you run SecureBrowser against SecureServer. It doesn't work. That's because SecureBrowser won't accept SecureServer's phony certificate. However, we can trick SecureBrowser into accepting SecureServer's certificate. Here's how:

  1. Use

    to export the server certificate from the certs keystore.

    keytool -export -keystore certs -alias jamie -file server.cer
    Enter keystore password:  serverkspw
    Certificate stored in file <server.cer>
  2. Use keytool to create a new keystore named jssecacerts (which will be used as a truststore by SecureBrowser). Import server.cer into jssecacerts.

    keytool -import -keystore jssecacerts -alias jamie -file server.cer
    Enter keystore password: 12345678
    Owner: CN=enpower, OU=Software Development, O=Toolery.com, L=Chula Vista, ST=CA, C=US
    Issuer: CN=enpower, OU=Software Development, O=Toolery.com, L=Chula Vista, ST=CA, C=US
    Serial number: 3ae5d0fc
    Valid from: Tue Apr 24 12:16:12 PDT 2001 until: Mon Jul 23 12:16:12 PDT 2001
    Certificate fingerprints:
         MD5: A9:00:67:FF:7A:1B:D4:4A:D5:33:72:97:C5:88:0B:6D
         SHA1: 16:40:79:8A:11:BC:F8:AE:96:0D:FF:30:46:B5:62:0F:E2:18:56:7F
    Trust this certificate? [no]: y
    Certificate was added to keystore

  3. Finally, copy jssecacerts to the lib/security subdirectory of your java.home directory. (On your client machine.)

    Now SecureBrowser will use jssecacerts as a truststore to authenticate SecureServer.

When I run SecureBrowser against SecureServer, I get the following output:

java SecureBrowser https://enpower/
KEY: Content-Length
VALUE: 487
KEY: Content-Type
VALUE: text/html
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
   <title>Welcome to Java Security using JSSE</title>

<h1>Welcome to Java Security using JSSE</h1>

<p>This page was securely sent using SSL version 3.0.</p>

Listing 7. A Basic Java Browser.

import java.io.*;
import java.net.*;
import java.security.*;

// A simple text-based browser
public class Browser {
  String urlString;

  // You must supply the URL to be browsed
  public static void main(String[] args) throws Exception {
     if(args.length != 1) {
      System.out.println("Usage: java Browser url");
     Browser browser = new Browser(args[0]);
   // Construct a browser object
   public Browser(String urlString) {
     this.urlString = urlString;
   // Get the URL
  public void run() throws Exception {
     URL url = new URL(urlString);
     HttpURLConnection urlc = (HttpURLConnection) url.openConnection();
     System.out.println("THE HEADERS");
     for(int i=1;;++i) {
       String key;
       String value;
       if((key = urlc.getHeaderFieldKey(i)) == null) break;
       if((value = urlc.getHeaderField(i)) == null) break;
       System.out.println("KEY: " + key);
       System.out.println("VALUE: " + value);
     BufferedReader reader = new BufferedReader(
       new InputStreamReader(urlc.getInputStream()));
     String line;
     System.out.println("THE CONTENT");
     while((line = reader.readLine()) != null) System.out.println(line);

Listing 8. A Browser that Supports Basic SSL

import java.io.*;
import java.net.*;
import java.security.*;

// Extend Browser to use SSL
public class SecureBrowser extends Browser {
  // Must supply URL in command line
  public static void main(String[] args) throws Exception {
     if(args.length != 1) {
      System.out.println("Usage: java SecureBrowser url");
     SecureBrowser browser = new SecureBrowser(args[0]);
   // Construct a SecureBrowser
   public SecureBrowser(String urlString) {
     // Register JSSE
     Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
     // Here's the trick!
     // Simply set the protocol handler property to use SSL.

Pages: 1, 2, 3, 4, 5

Next Pagearrow