6

I am using java to create a desktop application, and this application uses an API. To secure the communication with the API, I was informed by their support to use HTTPS. Please guide me on how to setup a https connection from a java client.

The API has this function which states that it can choose a secure connection:

private String getUrlAddress(XmlRequest request) {
    // determine if this is a secure connection
    String url = this.ssl ? "https://" : "http://";

    // determine service endpoint based on type of class/request passed in
    if( request.getClass() == MessageRequest.class) {
        url += ClockWorkSmsService.SMS_URL;
    }
    else {
        url += ClockWorkSmsService.CREDIT_URL;
    }

    return url;
}

this code gives me the idea that "request" will be my current url or server, so it will be me on my side that will setup the https connection.

Clockworksms API Wrapper:

import com.clockworksms.*;

public class DemoSms
{
   public static void main(String[] args)
   {
      try
      {
         ClockWorkSmsService clockWorkSmsService = new ClockWorkSmsService("apikey");
         SMS sms = new SMS("441234567890", "Hello World");         
         ClockworkSmsResult result = clockWorkSmsService.send(sms);

         if(result.isSuccess())
         {
            System.out.println("Sent with ID: " + result.getId());
         }
         else
         {
            System.out.println("Error: " + result.getErrorMessage());
         }
      }
      catch (ClockworkException e)
      {
         e.printStackTrace();
      }
   }
}
magicianiam
  • 1,474
  • 7
  • 33
  • 70
  • You may get some idea from here [http://stackoverflow.com/questions/4722644/web-service-client-with-java-application-and-ssl] also have look at [http://www.javaworld.com/article/2077600/learn-java/java-tip-96--use-https-in-your-java-client-code.html] – Vishal Oct 05 '15 at 12:11
  • You need to make a request to a secure https API. right? – John Eipe Oct 05 '15 at 12:14
  • @John yes i want there to be a secure connection between the two, and i was told that https is the way to make that happen – magicianiam Oct 05 '15 at 12:24
  • So in that case you need not host a https server, your java client will make a https connection request. – John Eipe Oct 05 '15 at 12:25
  • @Vishal thank you for that, i'll take a look into it :) – magicianiam Oct 05 '15 at 12:25
  • @John yes that's what i thought, but how do i set it up, and how do i make the client connection? thanks :) – magicianiam Oct 05 '15 at 12:32

2 Answers2

2

If it's a secure REST API. Have a look here

If it's just a HTTP resource that you need to access then have a look at Apache HTTPClient library and it's tutorials.

There are hundreds of resources out there, please try and then post specific questions.

John Eipe
  • 10,922
  • 24
  • 72
  • 114
  • thank you for this, i'll read this now, will it be okay if I ask you some questions when i feel stuck? – magicianiam Oct 05 '15 at 12:55
  • i read [link](http://www.bhaveshthaker.com/24/calling-invoking-secure-restful-web-service-over-https-with-jax-rs-in-java-without-keystore-truststore-information/), and truthfully didnt fully understood it, though from what i can get is that, it is establishing it self as an https connection, then on that part how does it connect to my API or how do i connect it to my API, and will the API automatically know that the connection is already secure? thanks – magicianiam Oct 05 '15 at 13:18
  • 1
    is the API REST based? – John Eipe Oct 05 '15 at 15:14
  • The API uses RESTful, SOAP and SMPP protocol. – magicianiam Oct 05 '15 at 15:20
  • 1
    I suggest that you pick up a REST client library and explore what can be done with it. This one uses Grizzly for both client and server: http://stackoverflow.com/questions/1757295/using-https-with-rest-in-java – John Eipe Oct 05 '15 at 15:29
  • in my case i don't have to setup anything server side right? and simply focus on client side for ssl? – magicianiam Oct 05 '15 at 15:31
  • also i believe this is a simple question but, is a certificate only needed if you want your web server to be able to use https, meaning when you want others to access your web site or application using https, but if you want to access an existing system with its own https connection, you don't need to provide your own certificate right? i was just confused as in that link you gave me he needed to use it in accessing the API. – magicianiam Oct 05 '15 at 15:38
  • You needn't create a certificate unless you are hosting the service but the client needs access to the certificate. Have a look here: http://stackoverflow.com/questions/2145431/https-using-jersey-client – John Eipe Oct 05 '15 at 15:43
  • so i will need access to the certificate for me to have a https connection with their API? i read some of the links you gave me and it did gave me a bit of insight on how to establish https connection, it was just confusing since some of them didn't mention certificates and that none incorporated an API, most where just accessing a secure link. though thank you once again for taking your time and helping me – magicianiam Oct 05 '15 at 15:45
0

Actually we need to override existing default behavior and add allow all the as trusted servers, Below code snippet will help you:

    /* START of the fix*/
    TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
        public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; }
        public void checkClientTrusted(X509Certificate[] certs, String authType) { }
        public void checkServerTrusted(X509Certificate[] certs, String authType) { }

    } };

    SSLContext sc = SSLContext.getInstance("SSL");
    sc.init(null, trustAllCerts, new java.security.SecureRandom());
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());

    // Create all-trusting host name verifier
    HostnameVerifier allHostsValid = new HostnameVerifier() {
        public boolean verify(String hostname, SSLSession session) { return true; }
    };
    // Install the all-trusting host verifier
    HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
    /* End of the fix*/
Rupesh Kumar
  • 181
  • 2
  • 5
  • Security-wise, this is not a fix, but a backdoor. Still, if you are officially required to do this... thank you for the code snippet anyhow. – foo Apr 28 '19 at 16:18