引自:
使用httpclient来进行https访问
<script type="text/javascript">
</script> <script src="http://pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript"> </script> name="google_ads_frame" marginwidth="0" marginheight="0" src="http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-5535238706151070&dt=1192617147859&lmt=1192617145&format=300x250_as&output=html&correlator=1192617147859&channel=3317342662&url=http%3A%2F%2Fwww.yeqiangwei.com%2Fclub%2Ff37fp1t200935p1.html&color_bg=FFFFFF&color_text=000000&color_link=000000&color_url=000000&color_border=FFFFFF&ad_type=text&ref=http%3A%2F%2Fwww.google.cn%2Fsearch%3Fq%3DX509Certificate%2B%26complete%3D1%26hl%3Dzh-CN%26lr%3Dlang_zh-CN%257Clang_zh-TW%26inlang%3Dzh-CN%26newwindow%3D1%26start%3D10%26sa%3DN&cc=100&ga_vid=857131654.1192617148&ga_sid=1192617148&ga_hid=1481590946&flash=9&u_h=768&u_w=1024&u_ah=740&u_aw=1024&u_cd=32&u_tz=480&u_his=1&u_java=true&u_nplug=16&u_nmime=55" frameborder="0" width="300" scrolling="no" height="250" allowtransparency="allowtransparency">
httpclient完全支持ssl连接方式。通常,如果不需要进行客户端认证和服务器端认证的ssl连接,httpclient的处理方式是和http方式完全一样。
现在这里是讲的是需要客户端认证数字证书时的httpclient处理方式(因为需要客户端认证时,连接会被主动关闭)。
1。使用ie访问你要连结的url地址,这时你会看到弹出一个询问是否继续和服务器建立连接的对话框( 安全警报)。选择“查看证书”->“详细信息”->“复制文件到”导出数字证书(例: server.cer或server.crt)。
2。使用导出的数字证书来创建你的keystore
keytool -import -alias "my server cert" -file server.cer -keystore my.truststore
keytool -genkey -v -alias "my client key" -validity 365 -keystore my.keystore
3。在引入AuthSSLProtocolSocketFactory.java,AuthSSLX509TrustManager.java和AuthSSLInitializationError后在你的代码里按下面的例子里来进行ssl连接
Protocol authhttps = new Protocol("https",
new AuthSSLProtocolSocketFactory(
new URL("file:my.keystore"), "mypassword",
new URL("file:my.truststore"), "mypassword"), 8443);
HttpClient client = new HttpClient();
client.getHostConfiguration().setHost("sh.12530", 8443, authhttps);
/*只能使用相对路径*/
GetMethod httpget = new GetMethod("/");
client.executeMethod(httpget);
附录:
AuthSSLInitializationError.java
public class AuthSSLInitializationError extends Error {
/**
* 构招一个AuthSSLInitializationError实例
*/
public AuthSSLInitializationError() {
super();
}
/**
* 用指定信息构造一个AuthSSLInitializationError实例
* @param message
*/
public AuthSSLInitializationError(String message) {
super(message);
}
}
AuthSSLX509TrustManager.java
import java.security.cert.X509Certificate;
import com.sun.net.ssl.X509TrustManager;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
public class AuthSSLX509TrustManager implements X509TrustManager
{
private X509TrustManager defaultTrustManager = null;
/** Log object for this class. */
private static final Log LOG = LogFactory.getLog(AuthSSLX509TrustManager.class);
/**
* Constructor for AuthSSLX509TrustManager.
*/
public AuthSSLX509TrustManager(final X509TrustManager defaultTrustManager) {
super();
if (defaultTrustManager == null) {
throw new IllegalArgumentException("Trust manager may not be null");
}
this.defaultTrustManager = defaultTrustManager;
}
/**
* @see com.sun.net.ssl.X509TrustManager#isClientTrusted(X509Certificate[])
*/
public boolean isClientTrusted(X509Certificate[] certificates) {
if (LOG.isInfoEnabled() && certificates != null) {
for (int c = 0; c < certificates.length; c++) {
X509Certificate cert = certificates[c];
LOG.info(" Client certificate " + (c + 1) + ":");
LOG.info(" Subject DN: " + cert.getSubjectDN());
LOG.info(" Signature Algorithm: " + cert.getSigAlgName());
LOG.info(" Valid from: " + cert.getNotBefore() );
LOG.info(" Valid until: " + cert.getNotAfter());
LOG.info(" Issuer: " + cert.getIssuerDN());
}
}
return this.defaultTrustManager.isClientTrusted(certificates);
}
/**
* @see com.sun.net.ssl.X509TrustManager#isServerTrusted(X509Certificate[])
*/
public boolean isServerTrusted(X509Certificate[] certificates) {
if (LOG.isInfoEnabled() && certificates != null) {
for (int c = 0; c < certificates.length; c++) {
X509Certificate cert = certificates[c];
LOG.info(" Server certificate " + (c + 1) + ":");
LOG.info(" Subject DN: " + cert.getSubjectDN());
LOG.info(" Signature Algorithm: " + cert.getSigAlgName());
LOG.info(" Valid from: " + cert.getNotBefore() );
LOG.info(" Valid until: " + cert.getNotAfter());
LOG.info(" Issuer: " + cert.getIssuerDN());
}
}
return this.defaultTrustManager.isServerTrusted(certificates);
}
/**
* @see com.sun.net.ssl.X509TrustManager#getAcceptedIssuers()
*/
public X509Certificate[] getAcceptedIssuers() {
return this.defaultTrustManager.getAcceptedIssuers();
}
}
AuthSSLProtocolSocketFactory .java
import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.net.URL;
import java.net.UnknownHostException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import org.apache.commons.httpclient.ConnectTimeoutException;
import org.apache.commons.httpclient.params.HttpConnectionParams;
import org.apache.commons.httpclient.protocol.ControllerThreadSocketFactory;
import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import com.sun.net.ssl.KeyManager;
import com.sun.net.ssl.KeyManagerFactory;
import com.sun.net.ssl.SSLContext;
import com.sun.net.ssl.TrustManager;
import com.sun.net.ssl.TrustManagerFactory;
import com.sun.net.ssl.X509TrustManager;
public class AuthSSLProtocolSocketFactory implements SecureProtocolSocketFactory {
/** Log object for this class. */
private static final Log LOG = LogFactory.getLog(AuthSSLProtocolSocketFactory.class);
private URL keystoreUrl = null;
private String keystorePassword = null;
private URL truststoreUrl = null;
private String truststorePassword = null;
private SSLContext sslcontext = null;
/**
* Constructor for AuthSSLProtocolSocketFactory. Either a keystore or truststore file
* must be given. Otherwise SSL context initialization error will result.
*
* @param keystoreUrl URL of the keystore file. May be <tt>null</tt> if HTTPS client
* authentication is not to be used.
* @param keystorePassword Password to unlock the keystore. IMPORTANT: this implementation
* assumes that the same password is used to protect the key and the keystore itself.
* @param truststoreUrl URL of the truststore file. May be <tt>null</tt> if HTTPS server
* authentication is not to be used.
* @param truststorePassword Password to unlock the truststore.
*/
public AuthSSLProtocolSocketFactory(
final URL keystoreUrl, final String keystorePassword,
final URL truststoreUrl, final String truststorePassword)
{
super();
this.keystoreUrl = keystoreUrl;
this.keystorePassword = keystorePassword;
this.truststoreUrl = truststoreUrl;
this.truststorePassword = truststorePassword;
}
private static KeyStore createKeyStore(final URL url, final String password)
throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException
{
if (url == null) {
throw new IllegalArgumentException("Keystore url may not be null");
}
LOG.debug("Initializing key store");
KeyStore keystore = KeyStore.getInstance("jks");
keystore.load(url.openStream(), password != null ? password.toCharArray(): null);
return keystore;
}
private static KeyManager[] createKeyManagers(final KeyStore keystore, final String password)
throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException
{
if (keystore == null) {
throw new IllegalArgumentException("Keystore may not be null");
}
LOG.debug("Initializing key manager");
KeyManagerFac