问题
I need to make a HTTPS call from client. I do not need to send certificates to the server, just need to validate the certificate from the server.
i researched this topic and this is my understanding. Can you please confirm? I do not have a test service yet, against which to verify my code... but still need to meet deadlines.. any advice/input will be helpful.
I added this to my class:
private static String appKeyFile = "/project/src/security/cert_file.jck";
private static String key = "password";
static {
System.setProperty("javax.net.ssl.keyStore", appKeyFile);
System.setProperty("javax.net.ssl.keyStorePassword",key);
System.setProperty("javax.net.ssl.keyStoreType","JCEKS");
}
And am making the HTTPS call as follows:
config = new DefaultClientConfig();
client = Client.create(config);
service = client.resource(UriBuilder.fromUri("https://localhost:8081/TestService").build());
clientResponse = service.path("rs").path("test").path("getCustomerDetail")
.accept(MediaType.APPLICATION_XML)
.post(ClientResponse.class, customerRequestType);
if (clientResponse.getStatus() == Response.Status.OK.getStatusCode()) {
custResponseType = clientResponse.getEntity(CustResponseType.class);
System.out.println("First Name" +
custResponseType.getFirstName());
}
Is this sufficient from SSL/HTTPS/certs etc point of view (other than debugging)? Is there anything else i need to do,like loading the keystore or initializing the SSLContext?
回答1:
In case you are using self-signed certificate, you may face issues related to SSL Certificate validation. This link discusses this.
回答2:
The javax.net.ssl.keyStore* properties (the keystore) are for the keys and certificates of the party using it. That is, on the server, it should contain the server certificate and its private key; on the client, it should contain the client certificates and their private keys.
In contrast the truststore (javax.net.ssl.trustStore* properties) contains the trusted certificates used to validate the remote party's certificate. On the client, it's what's used to determine whether you trust the server certificate (normally, via a chain to a CA certificate trusted by the client); on the server, it's what's used to verify a client certificate.
Both truststore and keystore are keystore files/objects (the terminology doesn't really help).
If you set javax.net.ssl.keyStore* on the client side, it will be used by the client to present its certificate (which can only be requested by the server, and which you don't seem to be using anyway). It will still use the default truststore (shipped/configured with the JRE), and it's unlikely to contain the specific certificate in cert_file.jck (which is presumably a self-signed certificate you've generated for the server). Instead, set the javax.net.ssl.trustStore* properties to point to that file.
(If you want the default CA certificates to be available too, I'd suggest copying the certificates in the default truststore, usually from $JAVA_HOME/lib/security/jssecacerts or $JAVA_HOME/lib/security/cacerts into your own truststore.)
来源:https://stackoverflow.com/questions/4130409/https-rest-clientresponse