0

I have a web service on one server and a Java client on another. Currently all calls are being made over HTTP but I would like the service to be more secure with HTTPS and basic authentication, I only want my client to be able to make calls. My web server receiving the requests is Apache httpd.

I've set up directives in the apache conf as follows:

<Location /mypath>
        Order Deny,Allow
        Deny from all
        Allow from all
        AuthType Basic
        AuthName "My Web Service Login"
        AuthBasicProvider file
        AuthUserFile "/usr1/apache/passwd/passwords"
        Require user myuser
</Location>

The passwords file has only one entry, for myuser

<IfModule ssl_module>
        ServerName www.myserver.com
        SSLEngine on
        SSLCACertificateFile "/usr1/apache/conf/ssl/myCAList.pem"
        SSLCertificateFile "/usr1/apache/conf/ssl/myserver.crt"
        SSLCertificateKeyFile "/usr1/apache/conf/ssl/myserver.pem"
        SSLVerifyClient require
</IfModule>

I think I have the server set up correctly (posted just in case). However, I can't test this for another hour when I can safely restart apache.

What I need help with is I'm unsure of how to configure the client. Here is a simple example call (using httpclient 4.5.1) :

HttpClient client = HttpClient.createDefault();
HttpGet httpGet = new HttpGet(URI);
HttpResponse httpRes = client.execute(httpGet);

I know I need to specify https instead of http on the URI, but how do I

1) Send the username and password for the basic authentication
2) Make sure my client server trusts the certificate of the web service server
3) What certificates and such that I need on the client server for the SSL connection

Thank you!

BoDidely
  • 504
  • 3
  • 13
  • If your server has a cert signed by a trusted CA (like Verisign) you don't need any certs on the client – Lev Kuznetsov May 11 '16 at 21:38
  • Using a self signed cert unfortunately – BoDidely May 11 '16 at 21:40
  • Here's an example on how to set up the `SSLContext` you need to put the self signed certificate into the truststore. https://hc.apache.org/httpcomponents-client-ga/httpclient/examples/org/apache/http/examples/client/ClientCustomSSL.java – Lev Kuznetsov May 11 '16 at 21:42
  • You can test how basic auth works with any server that requires that. That's completely independant of ssl. http://www.baeldung.com/httpclient-4-basic-authentication should be how. Wrt self singed it should be something like http://stackoverflow.com/questions/5206010/using-apache-httpclient-for-https - you need a "truststore", which is a file that has certificates the client trusts, you want your server cert in there. To get the `.crt` in there: http://stackoverflow.com/questions/373295/digital-certificate-how-to-import-cer-file-in-to-truststore-file-using – zapl May 11 '16 at 21:43

0 Answers0