Https in java ends up with strange results
I'm trying to illustrate to students how https is used in java. But i have the feeling my example is not really the best out there...
The code works well on my windows 7: I start the server, go to https://localhost:8080/somefile.txt and i get asked to trust the certificate, and all goes well. When I try over http (before or after accepting the certificate) I just get a blank page, which is ok for me.
BUT when I try the exact same thing on my windows XP: Same thing, all goes well. But then (after accepting the certificate first), I'm also able to get all the the files through http! (if I first try http before https followed by accepting the certificate, I get no answer..)
I tried refreshing, hard refreshing a million times but this should not be working, right?
Is there something wrong in my code? I'm not sure if I use the right approach to implement https here...
package Security;
import java.io.*;
import java.net.*;
import java.util.*;
import java.util.concurrent.Executors;
import java.security.*;
import javax.net.ssl.*;
import com.sun.net.httpserver.*;
public class HTTPSServer
{
public static void main(String[] args) throws IOException
{
InetSocketAddress addr = new InetSocketAddress(8080);
HttpsServer server = HttpsServer.create(addr, 0);
try
{
System.out.println("\nInitializing context ...\n");
KeyStore ks = KeyStore.getInstance("JKS");
char[] password = "vwpolo".toCharArray();
ks.load(new FileInputStream("myKeys"), password);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, password);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), null, null);
// a HTTPS server must have a configurator for the SSL connections.
server.setHttpsConfigurator (new HttpsConfigurator(sslContext)
{
// override configure to change default configuration.
public void configure (HttpsParameters params)
{
try
开发者_如何学编程 {
// get SSL context for this configurator
SSLContext c = getSSLContext();
// get the default settings for this SSL context
SSLParameters sslparams = c.getDefaultSSLParameters();
// set parameters for the HTTPS connection.
params.setNeedClientAuth(true);
params.setSSLParameters(sslparams);
System.out.println("SSL context created ...\n");
}
catch(Exception e2)
{
System.out.println("Invalid parameter ...\n");
e2.printStackTrace();
}
}
});
}
catch(Exception e1)
{
e1.printStackTrace();
}
server.createContext("/", new MyHandler1());
server.setExecutor(Executors.newCachedThreadPool());
server.start();
System.out.println("Server is listening on port 8080 ...\n");
}
}
class MyHandler implements HttpHandler
{
public void handle(HttpExchange exchange) throws IOException
{
String requestMethod = exchange.getRequestMethod();
if (requestMethod.equalsIgnoreCase("GET"))
{
Headers responseHeaders = exchange.getResponseHeaders();
responseHeaders.set("Content-Type", "text/plain");
exchange.sendResponseHeaders(200, 0);
OutputStream responseBody = exchange.getResponseBody();
String response = "HTTP headers included in your request:\n\n";
responseBody.write(response.getBytes());
Headers requestHeaders = exchange.getRequestHeaders();
Set<String> keySet = requestHeaders.keySet();
Iterator<String> iter = keySet.iterator();
while (iter.hasNext())
{
String key = iter.next();
List values = requestHeaders.get(key);
response = key + " = " + values.toString() + "\n";
responseBody.write(response.getBytes());
System.out.print(response);
}
response = "\nHTTP request body: ";
responseBody.write(response.getBytes());
InputStream requestBody = exchange.getRequestBody();
byte[] buffer = new byte[256];
if(requestBody.read(buffer) > 0)
{
responseBody.write(buffer);
}
else
{
responseBody.write("empty.".getBytes());
}
URI requestURI = exchange.getRequestURI();
String file = requestURI.getPath().substring(1);
response = "\n\nFile requested = " + file + "\n\n";
responseBody.write(response.getBytes());
responseBody.flush();
System.out.print(response);
Scanner source = new Scanner(new File(file));
String text;
while (source.hasNext())
{
text = source.nextLine() + "\n";
responseBody.write(text.getBytes());
}
source.close();
responseBody.close();
exchange.close();
}
}
}
If you only want to make a demonstration to your students, then I'd suggest to avoid the bells and whistles of a full-blown HTTP server running.
I'd have just a SSLServerSocket
serving a default HTML page whenever a secured connection is successfully made.
精彩评论