Java SSL by default does not trust self-signed certificate. Wikibooks:Programming reveals a way to allow connection to secure HTTP server using self-signed certificate. The magic looks like:
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
// do nothing
}
public void checkServerTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
// do nothing
}
}
};
// Install the all-trusting trust manager
SSLContext sc = null;
try {
sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
} catch(GeneralSecurityException gse) {
throw new IllegalStateException(gse.getMessage());
}
HttpsURLConnection.setDefaultSSLSocketFactory(
sc.getSocketFactory());
However, HttpsURLConnection.setDefaultSSLSocketFactory(...) will throw a SecurityException (a RuntimeException) if a security manager exists and its checkSetFactory method does not allow a socket factory to be specified. The thrown SecurityException looks like
Exception in thread "main" java.security.AccessControlException: access denied (java.lang.RuntimePermission setFactory)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkSetFactory(SecurityManager.java:1612)
at javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(HttpsURLConnection.java:308)
at SecurityManagerTest.main(SecurityManagerTest.java:50)
A workaround to avoid such a SecurityException is as below:
URL url = new URL("https://engage.ac.uk");
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
conn.setSSLSocketFactory(sc.getSocketFactory());
conn.getInputStream();
The trick is to use the instance method setSSLSocketFactory instead of the static method setDefaultSSLSocketFactory. The former does not throw a SecurityException.
Note: need to use conn.getInputStream() instead of url.openStream(), otherwise the customised SocketFactory won't be used.
Of course to allow to connect the secure web site, the following permission should be added in the Java security policy file:
permission java.net.SocketPermission "engage.ac.uk:443", "connect";
Subscribe to:
Post Comments (Atom)
210 comments:
«Oldest ‹Older 201 – 210 of 210This article provides a solid solution for working with self-signed certificates in Java while still considering security constraints.digital marketing courses in delhi
Excellent article! Managing SSL certificates in Java can be tricky, and this workaround is a valuable solution. Your detailed explanation and solution are highly appreciated. Thanks a lot.
https://iimskills.com/data-science-courses-in-micronesia/
Data Science Courses in Micronesia
Wonderful article on Let Java SSL Trust All Certificates without Violating Security Manager! The way you explained the topic made everything so much easier to understand. Your examples were really helpful, and I’m excited to read more of your posts. Keep sharing such great insights!
digital marketing courses in pune
Short and simple article. Explained well though. It was quite specific and to the point. Found it interesting and informative. Thanks.
Data Science Courses in Micronesia
https://iimskills.com/data-science-courses-in-micronesia/
Data Science Courses in Micronesia
Your article is valuable to me
SSL Certificate in Noida
Good post, thanks for sharing this valuble information with us, it's insightsful & engaging.
business analyst course in bangalore
This post provides a clear workaround for handling self-signed certificates in Java without violating the security manager. The instance-level setSSLSocketFactory method is a smart approach, avoiding global security issues while maintaining flexibility for specific connections. Practical and well-explained!
digital marketing course in nashik
great work https://iimskills.com/top-23-digital-marketing-courses-in-bangalore/
Nice blogging on trust levels of Java SSL . Thanks for sharing the process which flows.
technical writing course
Allowing Java SSL to trust all certificates without violating the Security Manager involves creating a custom TrustManager that bypasses certificate validation while ensuring controlled usage. This approach is useful for testing or non-production scenarios but should be implemented cautiously. Proper safeguards, such as enabling this only temporarily, maintain overall application security and prevent misuse in sensitive environments.
business analyst course in bangalore
Post a Comment