java 中的 https 最终得到了奇怪的结果
我试图向学生说明 https 在 java 中是如何使用的。但我感觉我的示例并不是最好的...
该代码在我的 Windows 7 上运行良好:我启动服务器,转到 https://localhost:8080/somefile。 txt 中,我被要求信任该证书,一切顺利。 当我尝试 http (在接受证书之前或之后)时,我只是得到一个空白页面,这对我来说没问题。
但是当我在 Windows XP 上尝试完全相同的事情时:同样的事情,一切顺利。但是(首先接受证书之后),我还可以通过 http 获取所有文件! (如果我在 https 之前先尝试 http 然后接受证书,我没有得到答案..)
我尝试刷新、硬刷新一百万次,但这应该不起作用, 正确的?
我的代码有问题吗?我不确定我是否使用正确的方法在这里实现 https...
package Security;
import java.io.*;
import java.net.*;
import java.util.*;
import java.util.concurrent.Executors;
import java.security.*;
import javax.net.ssl.*;
import com.sun.net.httpserver.*;
public class HTTPSServer
{
public static void main(String[] args) throws IOException
{
InetSocketAddress addr = new InetSocketAddress(8080);
HttpsServer server = HttpsServer.create(addr, 0);
try
{
System.out.println("\nInitializing context ...\n");
KeyStore ks = KeyStore.getInstance("JKS");
char[] password = "vwpolo".toCharArray();
ks.load(new FileInputStream("myKeys"), password);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, password);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), null, null);
// a HTTPS server must have a configurator for the SSL connections.
server.setHttpsConfigurator (new HttpsConfigurator(sslContext)
{
// override configure to change default configuration.
public void configure (HttpsParameters params)
{
try
{
// get SSL context for this configurator
SSLContext c = getSSLContext();
// get the default settings for this SSL context
SSLParameters sslparams = c.getDefaultSSLParameters();
// set parameters for the HTTPS connection.
params.setNeedClientAuth(true);
params.setSSLParameters(sslparams);
System.out.println("SSL context created ...\n");
}
catch(Exception e2)
{
System.out.println("Invalid parameter ...\n");
e2.printStackTrace();
}
}
});
}
catch(Exception e1)
{
e1.printStackTrace();
}
server.createContext("/", new MyHandler1());
server.setExecutor(Executors.newCachedThreadPool());
server.start();
System.out.println("Server is listening on port 8080 ...\n");
}
}
class MyHandler implements HttpHandler
{
public void handle(HttpExchange exchange) throws IOException
{
String requestMethod = exchange.getRequestMethod();
if (requestMethod.equalsIgnoreCase("GET"))
{
Headers responseHeaders = exchange.getResponseHeaders();
responseHeaders.set("Content-Type", "text/plain");
exchange.sendResponseHeaders(200, 0);
OutputStream responseBody = exchange.getResponseBody();
String response = "HTTP headers included in your request:\n\n";
responseBody.write(response.getBytes());
Headers requestHeaders = exchange.getRequestHeaders();
Set<String> keySet = requestHeaders.keySet();
Iterator<String> iter = keySet.iterator();
while (iter.hasNext())
{
String key = iter.next();
List values = requestHeaders.get(key);
response = key + " = " + values.toString() + "\n";
responseBody.write(response.getBytes());
System.out.print(response);
}
response = "\nHTTP request body: ";
responseBody.write(response.getBytes());
InputStream requestBody = exchange.getRequestBody();
byte[] buffer = new byte[256];
if(requestBody.read(buffer) > 0)
{
responseBody.write(buffer);
}
else
{
responseBody.write("empty.".getBytes());
}
URI requestURI = exchange.getRequestURI();
String file = requestURI.getPath().substring(1);
response = "\n\nFile requested = " + file + "\n\n";
responseBody.write(response.getBytes());
responseBody.flush();
System.out.print(response);
Scanner source = new Scanner(new File(file));
String text;
while (source.hasNext())
{
text = source.nextLine() + "\n";
responseBody.write(text.getBytes());
}
source.close();
responseBody.close();
exchange.close();
}
}
}
I'm trying to illustrate to students how https is used in java. But i have the feeling my example is not really the best out there...
The code works well on my windows 7: I start the server, go to https://localhost:8080/somefile.txt and i get asked to trust the certificate, and all goes well.
When I try over http (before or after accepting the certificate) I just get a blank page, which is ok for me.
BUT when I try the exact same thing on my windows XP: Same thing, all goes well. But then (after accepting the certificate first), I'm also able to get all the the files through http! (if I first try http before https followed by accepting the certificate, I get no answer..)
I tried refreshing, hard refreshing a million times but this should not be working, right?
Is there something wrong in my code? I'm not sure if I use the right approach to implement https here...
package Security;
import java.io.*;
import java.net.*;
import java.util.*;
import java.util.concurrent.Executors;
import java.security.*;
import javax.net.ssl.*;
import com.sun.net.httpserver.*;
public class HTTPSServer
{
public static void main(String[] args) throws IOException
{
InetSocketAddress addr = new InetSocketAddress(8080);
HttpsServer server = HttpsServer.create(addr, 0);
try
{
System.out.println("\nInitializing context ...\n");
KeyStore ks = KeyStore.getInstance("JKS");
char[] password = "vwpolo".toCharArray();
ks.load(new FileInputStream("myKeys"), password);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, password);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(), null, null);
// a HTTPS server must have a configurator for the SSL connections.
server.setHttpsConfigurator (new HttpsConfigurator(sslContext)
{
// override configure to change default configuration.
public void configure (HttpsParameters params)
{
try
{
// get SSL context for this configurator
SSLContext c = getSSLContext();
// get the default settings for this SSL context
SSLParameters sslparams = c.getDefaultSSLParameters();
// set parameters for the HTTPS connection.
params.setNeedClientAuth(true);
params.setSSLParameters(sslparams);
System.out.println("SSL context created ...\n");
}
catch(Exception e2)
{
System.out.println("Invalid parameter ...\n");
e2.printStackTrace();
}
}
});
}
catch(Exception e1)
{
e1.printStackTrace();
}
server.createContext("/", new MyHandler1());
server.setExecutor(Executors.newCachedThreadPool());
server.start();
System.out.println("Server is listening on port 8080 ...\n");
}
}
class MyHandler implements HttpHandler
{
public void handle(HttpExchange exchange) throws IOException
{
String requestMethod = exchange.getRequestMethod();
if (requestMethod.equalsIgnoreCase("GET"))
{
Headers responseHeaders = exchange.getResponseHeaders();
responseHeaders.set("Content-Type", "text/plain");
exchange.sendResponseHeaders(200, 0);
OutputStream responseBody = exchange.getResponseBody();
String response = "HTTP headers included in your request:\n\n";
responseBody.write(response.getBytes());
Headers requestHeaders = exchange.getRequestHeaders();
Set<String> keySet = requestHeaders.keySet();
Iterator<String> iter = keySet.iterator();
while (iter.hasNext())
{
String key = iter.next();
List values = requestHeaders.get(key);
response = key + " = " + values.toString() + "\n";
responseBody.write(response.getBytes());
System.out.print(response);
}
response = "\nHTTP request body: ";
responseBody.write(response.getBytes());
InputStream requestBody = exchange.getRequestBody();
byte[] buffer = new byte[256];
if(requestBody.read(buffer) > 0)
{
responseBody.write(buffer);
}
else
{
responseBody.write("empty.".getBytes());
}
URI requestURI = exchange.getRequestURI();
String file = requestURI.getPath().substring(1);
response = "\n\nFile requested = " + file + "\n\n";
responseBody.write(response.getBytes());
responseBody.flush();
System.out.print(response);
Scanner source = new Scanner(new File(file));
String text;
while (source.hasNext())
{
text = source.nextLine() + "\n";
responseBody.write(text.getBytes());
}
source.close();
responseBody.close();
exchange.close();
}
}
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您只想向学生进行演示,那么我建议您避免运行成熟的 HTTP 服务器的花哨功能。
每当成功建立安全连接时,我就会有一个
SSLServerSocket提供默认的 HTML 页面。If you only want to make a demonstration to your students, then I'd suggest to avoid the bells and whistles of a full-blown HTTP server running.
I'd have just a
SSLServerSocketserving a default HTML page whenever a secured connection is successfully made.