-1

I am trying to recode an existing python script to Java. It includes this following line:

r = requests.get('https://{}/redfish/v1/{}'.format(ip, query), auth=('ADMIN', 'ADMIN'), verify=False)

I don't have a lot of experience in Python and didn't write the script myself. So far I've only been able to figure out what it does, but not how to replicate it using Java.

If anyone could point me in the right direction that would be awesome.

Thanks!

Korlimann
  • 147
  • 14
  • 3
    Have you tried to type the title of your question on Google? The [first result](https://www.baeldung.com/java-http-request) contains exactly what you're looking for. – Matteo NNZ Jun 24 '21 at 13:27
  • 3
    Does this answer your question? [HTTP GET request in java](https://stackoverflow.com/questions/36140269/http-get-request-in-java) – Elikill58 Jun 24 '21 at 13:32
  • @MatteoNNZ I have, but it seems my keywords were off! Thank you very much! – Korlimann Jun 24 '21 at 13:40
  • Well I just copy-pasted your title, so no your keywords were pretty good :) – Matteo NNZ Jun 24 '21 at 14:53

2 Answers2

2

First, read this tutorial on the java HTTP client. (Note that it requires jdk11 or up).

From there it should be fairly simply; that .format() thing is just replacing the {} with the provided ip and query parts. The auth part is more interesting. The verify part presumably means 'whatever, forget about SSL'.

Between a password of 'admin' and 'disregard SSL issues', this code screams "You are about 2 weeks away from getting your box p0wned", maybe you should be taking security a bit more seriously than this.

At any rate, the equivalents in the java sphere are more complicated, because java intentionally does not meant 'disable ssl' to be a casual throwaway move, unlike python which just hands you the bazooka no questions asked.

Here is a tutorial on how to do basic http auth with the http client.

To shoot your foot off properly and ensure that the foot is fully dead, you need to make an SSL Context that does nothing and silently just accepts all certificates, even ones someone trying to hack your system made. Then pass that for .sslContext to HttpClient.builder().

Here is an example of someone firing this bazooka.

rzwitserloot
  • 85,357
  • 5
  • 51
  • 72
  • Awesome, thank you! Regarding the security, I will try and see if there's a better approach to this. Although, this script was coded by a co-worker and is executed on a local network to get Information from Servers we're setting up for clients (hence the "ADMIN/ADMIN" login, the server doesn't even have a OS) and writes those informations in a text file. Regarding this, do you still think it would be unsafe to do it this way? Because I really like my feet and don't plan on bringing bazookas to work :D – Korlimann Jun 24 '21 at 13:54
  • I've been taking a look at the tutorials you linked, and it appears that most of the classes these tutorials use are not available. Guess I already killed my foot by using JDK 16? – Korlimann Jun 24 '21 at 14:11
  • @Korlimann quite the opposite. The tutorials I linked you to are the 'new' baked-into-java HTTP client; it was introduced in JDK11. If they 'arent available', you are on JDK8 and you merely think you're on 16. If you're really on 16, these would all be available. – rzwitserloot Jun 24 '21 at 14:28
  • Interesting, it appears I was using openjdk-16.0.1, according to IntelliJ. I tried adding my local installation of java 16.0.1, but there's still no classes named "CredentialsProvider" or "UsernamePasswordCredentials" HttpClient/Response work fine, but I can't find how to do the authentication without these classes. – Korlimann Jun 24 '21 at 14:39
0

At first, you can use String.format for the formatting:

String url=String.format("https://%s/redfish/v1/%s",ip,query);

You could also use MessageFormat if you want to.

For connecting, you can create a URL-object and creating a URLConnection (in your case HttpsURLConnection) and opening an InputStream for the response afterwards:

HttpsURLConnectioncon=(HttpsURLConnection)new URL(url).openConnection();
try(BufferedInputStream is=new BufferedInputStream(con.openStream()){
    //...
}

In order to do the authentication, you can take a look at this tutorial:

String auth =  "ADMIN:ADMIN";
byte[] encodedAuth = Base64.getEncoder().encode(auth.getBytes(StandardCharsets.UTF_8));
//Get the HttpURLConnection
con.setRequestProperty("Authorization", authHeaderValue);
//Connect/open InputStream

If you really want to disable verification, you can create your own HostnameVerifier that allows everything but this is strongly discouraged as this allows man in the middle attacks as you basically disable the security of HTTPs:

con.setHostnameVerifier((hostname,sslSession)->true);

All combined, it could look like this:

String url=String.format("https://%s/redfish/v1/%s",ip,query);

String auth =  "ADMIN:ADMIN";
byte[] encodedAuth = Base64.getEncoder().encode(auth.getBytes(StandardCharsets.UTF_8));
String authHeaderValue = "Basic " + new String(encodedAuth);

HttpsURLConnection con=(HttpsURLConnection)new URL(url).openConnection();

con.setRequestProperty("Authorization", authHeaderValue);
con.setHostnameVerifier((hostname,sslSession)->true);//vulnerable to man in the middle attacks

try(BufferedInputStream is=new BufferedInputStream(con.openStream()){
    //...
}
dan1st
  • 12,568
  • 8
  • 34
  • 67
  • You're advising using an obsolete and badly designed API. – rzwitserloot Jun 24 '21 at 14:04
  • Thanks! I've tried using your code as a Base, but it appears that both the Class HttpsUrlConnection and the method encodeBase64() do not exist. Could it be because I'm using JDK16? EDIT: It appears that HttpURLConnection is the new class name for HttpsUrlConnection? – Korlimann Jun 24 '21 at 14:05
  • `Base64.encodeBase64` doesn't exist in anything. This answer is gobbledygook. `HttpsURLConnection` exists (note the s!). `HttpsUrlConnection` does not exist and never has. This answer is perhaps written off the top of author's head, and author is misremembering. – rzwitserloot Jun 24 '21 at 14:29