开发者

Is this Java code still secure? HTTPS Connections using the URL class

问答 作者:

I'm writing a Java wrapper for an API and I have a fundamental question about SSL and HTTPS connections. I know when HTTPS connections are made IN THE BROWSER, the i开发者_Go百科nformation is encrypted between the browser and the server, so that the information cannot be read if it is intercepted. That's the fundamental SSL connection as far as I know it.

Does that same level of security exist between a Java method call and the server however? For example, if I create a URL class with an address of "https://server.com/", will the information between the Java code and the server be encrypted?

In other words, is the information being returned in this type of code secure (directly from my API, returns a JSON string):

public static String getJSON() {
    String url = "https://nxtpass.com/create/?" +
                "apiKey=" + apiKey // so on, building up the query
        return IOUtils.toString(new URL(url).openStream());
}

If I were to type that address into a browser, the returned JSON string would be secured by the HTTPS connection (I believe this to be true). Does that same security hold up in my code above? If not, how would I go about doing that?

Yes. The line

new URL(url).openStream()

is equivalent to 

new URL(url).openConnection().getInputStream()

and the openConnection() call returns an appropriate connection for the specified protocol.

In this case, it will be an HttpsURLConnection, which is coded to actually do HTTPS.

If I understand your question right, Java distribution has built-in support for JSSE, which has protocol handlers for SSL (HTTP over SSL). So, yes, the connection made via the java.net.URL class is secure to the HTTPS URL being accessed.

Yes, this is secured as in the case of a browser. All the params you pass in the URL will be secured with SSL.

A side note, in case the server end certificate is not trusted [if it is a self signed certificate] you need to set following two system properties before calling - there you need to import the corresponding public certificate to a local key store [path/to/trutstore].

System.setProperty("javax.net.ssl.trustStore","path/to/trutstore");
System.setProperty("javax.net.ssl.trustStorePassword", "password");

HTTPS is HTTP over SSL, whether the client is a browser, Java, VB, Smalltalk, Snobol, Fortran, ...

继续阅读:httphttpsssl

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9