Meaningless Drivel is fun!
The moose likes EJB and other Java EE Technologies and the fly likes OutputStream writing and SSL Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "OutputStream writing and SSL" Watch "OutputStream writing and SSL" New topic

OutputStream writing and SSL

Dom Lassy
Ranch Hand

Joined: May 05, 2006
Posts: 181
Hello. I have created a servlet that returns dynamically created binary files. The servlet works fine over http, but when it is called over https the browser "cannot find the file specified". Here is part of the servlet code:

I've read that I should do something like this:

What is the best practice for sending a dynamically created binary file to the client through a servlet? In the servlet, how can I determine if the request is coming from http or https? Since I am obviously new to SSL, are there any good resources that can help me understand the createSocket method and why it would be necessary. Thanks in advance.
Sol Mayer-Orn
Ranch Hand

Joined: Nov 13, 2002
Posts: 311
I think there are 2 issues here:

1. What you've read about having to create SSLSocket factory:
This is good for stand-alone applications (e.g. if you wanted to implement your own browser, to compete with IE6 or Firefox...).
But you *don't* need it for this web application example - the socket and connection are alrady managed for you .
Your first code has the correct approach: you get the OutputStream from the Request, and just write into it. The stream will already be encrypted, *provided* that your server supports SSL, and the browser used 'https://...' (n the address bar, link, etc).

2. The browser getting an error message:
I'm only guessing here, but perhaps your server (servlet container) isn't configured to support SSL ?
Your server's manual (or google...) will explain how to configure SSL, and also which secure port to use (e.g. Tomcat usually uses 8443). This information varies between vendors.

To check if SSL is enabled, take any old 'hello world' webapp (it doesn't need to be aware of encryption), and invoke it from a browser, using 'https' and your server's secure port.
E.g, with most Tomcats, you'll print the following (in the browser):

If the server is configured to support SSL, then the browser should see the normal reply (eg 'hello world'), and it would also tell you it's a secure connection (eg with IE6, you get the familiar little icon of a yellow lock).
Dom Lassy
Ranch Hand

Joined: May 05, 2006
Posts: 181
I appreciate the response. The server (Tomcat) is configured correctly for SSL. I run from https://localhost:8443/index.jsp and I get the little security lock from IE and the rest of the site works correctly and is secure. Is there any additional configuration that I need to do? Also, I can explain further what we are doing and maybe you can see if there is a conceptual problem with it:

The user submits a form and the struts action runs, puts the dynamic binary file into request scope, and forwards to our servlet. The servlet then runs the code that I posted in my original post. Like I said, it works fine over http, just not https.

I don't have any experience with SSL and that makes it hard to see any potential problems with the design.

Thanks again for the reply.
Dom Lassy
Ranch Hand

Joined: May 05, 2006
Posts: 181
If I change the response content-type from "application/pdf" to "text/html" the file not found error does not happen anymore, and everything works fine. Someone mentioned that this is a bug in IE having to do with caching the file and using some active-x control to open Adobe to view the file. Content-type "application/msexcel" and "application/rtf" have the same problems. I'll reply with any findings.

I'll also test to see if this issue exists in Firefox.
Dom Lassy
Ranch Hand

Joined: May 05, 2006
Posts: 181
The problem does not exist in Firefox and this explanation is from;en-us;316431:

When you attempt to open or download a Microsoft Office document (.doc file, .xls file, .ppt file, and so on) from a secure Web site in Internet Explorer, you may receive one of the following error messages, even though the document is available and downloaded from the server:

Error message 1

Internet Explorer cannot download file from server.
Internet Explorer was not able to open this Internet site.
The requested site is either unavailable or cannot be found. Please try again later.

Error message 2

The page cannot be displayed.
The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.
Cannot find server or DNS Error

Error message 3

Office Application Name cannot open the file.

Error message 4

Publisher cannot find the file you specified.
The problem occurs if the server is using Secure Sockets Layer (SSL) and has added one or both of the following HTTP headers to the response message: Pragma: no-cache
Cache-control: no-cache,max-age=0,must-revalidate

In order for Internet Explorer to open documents in Office (or any out-of-process, ActiveX document server), Internet Explorer must save the file to the local cache directory and ask the associated application to load the file by using IPersistFile::Load. If the file is not stored to disk, this operation fails.

When Internet Explorer communicates with a secure Web site through SSL, Internet Explorer enforces any no-cache request. If the header or headers are present, Internet Explorer does not cache the file. Consequently, Office cannot open the file.

Web sites that want to allow this type of operation should remove the no-cache header or headers.

==== END PASTE ====

It is a great resolution considering that the file name is static and the contents are dynamic.
Slaven Bulog

Joined: May 30, 2007
Posts: 1
We had the same problem with a servlet that returns dynamically created binary files using tomcat 5.5 with ssl and (with try-and-error) I found the reason for this behaviour in the configuration of our web.xml:

I removed this part of the configuration and it was working. But of course, you should know what you are doing, when you are configuring your security-constraints
[ May 30, 2007: Message edited by: Slaven Bulog ]
I agree. Here's the link:
subject: OutputStream writing and SSL
It's not a secret anymore!