0

from my web application, i have to post some data to a remote third party web service on https. the users of the web application have been provided with individual certificates to connect to web service. The web application will work as an intermediary between the end users and the web service as the application has all the data to be posted. how can this be achieved? An Applet or Java Web Start that can be launched from the web app. Can you guys throw some light. Waiting for your ideas, suggestions.

Thankyou

Java Novice
  • 1
  • 2

1 Answers1

0

Does the web service provider run on a different machine than the web application?

If not, you can directly teach the web application to expose the web services you need to handle the user requests. You can use one of the WS-Security protocol to mutually authenticate client and server.

If yes, does the web service provider run on a private network that can be seen by the web application?

If yes, you can consume the web service directly from your web application, after the user has been mutually authenticated in SSL to the web application, and send the consumed data to the user.

If not, mutually authenticate the user on the web application with SSL; from the web application, use a server certificate to mutually autenthicate to the web service provider with one of the WS-Security protocol.

EDIT

To work with self signed certificates, let the applet import that certificate in a keystore, either in the JRE default keystore, or a custom keystore loaded at runtime (more precisely, a keystore used to trust certificates is called TrustStore).

You can create a keystore with the keytool executable offered by Oracle. Once you teach your applet to use that keystore, your applet will trust that self-signed server certificate.

Set the application TrustStore with:

System.setProperty("javax.net.ssl.trustStore","path/to/clientTrustStore.key");
System.setProperty("javax.net.ssl.trustStorePassword","keystore-password-if-any");

Read this link for further information about the javax.net.ssl.trustStore property.

Luca Fagioli
  • 12,722
  • 5
  • 59
  • 57
  • The web service runs on a different machine and is exposed to public but only using a valid certificate. I want to call the web service from the client browser which has the certificate added to the browser keystore. If valid certificate is not added to the browser the error has to be exposed to the client (through browser). So the calling procedure should be run on the client/browser side. How? Applet or Java Web Start.Waiting for your suggestions. – Java Novice Mar 01 '11 at 19:39
  • Sorry for the delay, here I am. Then you should go for an Applet, but you need to sign it to access sensitive data like certificates installed on the running local machine. There are plenty of tutorial on how to sign an applet, just google for "sign an applet". – Luca Fagioli Mar 06 '11 at 11:52
  • That's because applets are executed automatically by the browser, so the code cannot be implicitly considered as trusted. Hope this helps. – Luca Fagioli Mar 06 '11 at 12:01
  • Hello Luca, sorry for the delay, I can sign the applet but the real problem I think is, the certificate on the web service server is a not a trusted one (like verisign or godaddy) but a self signed one. As you are aware once we import a self signed certificate into to a browser its accepts requests to the domain without a security alert. How can i do the same running an applet to to call the webservice ie. call the webservice using the certificate installed on browser where it runs. Hope you can point me to the right direction. – Java Novice Mar 07 '11 at 20:12
  • To work with self signed certificates, let the applet import that certificate in a keystore, either in the JRE default keystore, or a custom keystore loaded at runtime. – Luca Fagioli Mar 09 '11 at 11:10
  • I would go for a custom keystore. You can create it with the keytool executable offered by Oracle. Once you teach your applet to use that keystore, your applet will trust that self-signed server certificate. – Luca Fagioli Mar 09 '11 at 11:17
  • More precisely, a keystore used to trust certificates is called TrustStore. Have a look at [this post](http://stackoverflow.com/questions/2138574/java-path-to-truststore-set-property-doesnt-work) to see how to set your own TrustStore. – Luca Fagioli Mar 09 '11 at 11:29
  • Hello Luca, Thats what I intend to have. "custom keystore loaded on runtime". How can I do that? Not finding much info on google. Hope you can point me to some. Thanks – Java Novice Mar 09 '11 at 16:10
  • Hello Luca, I think I have found the solution. I am making tests. Will let you know soon. It was the "custom keystore" of your comment that helped me. Thanks – Java Novice Mar 10 '11 at 19:47
  • Hello Luca, Thanks. I have a question. Now I am using p12 certificate. Is it possible to use .cer or .pem certificates and do the same thing. Thanks again. – Java Novice Mar 11 '11 at 07:34
  • Sure, you just need to use different keystore types. a p12 certificate, for example, act as keystore itself, and incapsulate in one file both private and public keys. cer and pem handle them separately. – Luca Fagioli Mar 11 '11 at 19:14
  • Hello Luca, I was not able to do the same thing with .cer and .pem files. Can you please help. Other than that I am facing another problem. In the applet while making the HTTPS connection I am getting the a popup window asking for confirmation about the certificate to be used. Even if i answer yes the first call throw error. I tries the solution of accepting all certificates by creating a customtruststore, but no changes. The second request is executed correctly. What am I doing wrong. Can you help please. Thanks – Java Novice Mar 20 '11 at 12:23
  • Hello Luca, The first time when I post the dialog window opens asking for confirmation of certificate to be used (no certificate is shown on the dialog box). I click on OK and the error i get from stacktrace is java.security.PrivilegedActionException: com.sun.xml.internal.messaging.saaj.SOAPExceptionImpl: Bad response: (403Forbidden. When I again click on post whithout refershing anything everything goes fine as expected. Thanks – Java Novice Mar 21 '11 at 10:01
  • Hello Luca, I suspect this happens while keystore is loaded. It only happens when loaded from browser. If i launch it directly from eclipse there is no such issue.Do you have any solution to bypass this. Thanks – Java Novice Mar 22 '11 at 09:35
  • Hello Luca, The problem has been resolved. It was enough to open a HTTPS URLCONNECTION before creating the SOAPConnection, Thanks – Java Novice Mar 26 '11 at 05:46
  • Sorry Luca, I am still in work. I am facing an error and i cannot find a solution. Its been weeks. I am at the last stage hope so. I am signing a document with my private key and passing the public key to the web service and I am getting error "Unable to initialize, java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.". Have you encountered such an error? If yes please suggest me a workaround. Thanks – Java Novice Apr 21 '11 at 16:47
  • Are you sure the web service expects the public key in DER format, instead of PEM? – Luca Fagioli Apr 21 '11 at 19:35
  • the specification states base64 encoded DER format public key, Thanks – Java Novice Apr 22 '11 at 11:56
  • In my app, I use the pfx file, i extract the private key, X509 Certificate and from that generate the public key(java.security.PublicKey). This PublicKey when encoded and passed to the WebService gives me DerInputStream.getLength(): lengthTag=127, too big ERROR. The WebService specification states to use base64 encoded DER format key. Can you please help me. Thanks – Java Novice Apr 22 '11 at 15:48
  • Hello Luca, I verified the keys I exported from pfx keystore. All are in PEM format. I dont know how to get them in DER format. Can you please guide me. Thanks – Java Novice Apr 28 '11 at 12:09