wood burning stoves 2.0*
The moose likes JSP and the fly likes Https java api security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "Https java api security" Watch "Https java api security" New topic
Author

Https java api security

ramnna jain
Ranch Hand

Joined: Mar 16, 2009
Posts: 129

I have an application and I want to provide security at the time of login and form submission.

Is there any java api to provide secure(https) login or form submission.

If any please provide me links... thanks in advance...
ujjwal soni
Ranch Hand

Joined: Mar 28, 2007
Posts: 403
Hi,

Which application server are you using ?

I did a configuration in jboss to enable https authentication.

Check out below steps to enable https in jboss :

Step 1)
First of all, we are going to make a keystore. This is the place we are going to store the keys in on the serverside. We will use the Java-tool keytool for this. The algorithm used here is RSA.

At the selected directory:
keytool -genkey -alias <alias name> -keyalg RSA -keystore ./name.keystore

Fill in all the information that is asked.
A keystore with the name name.keystore is generated.

Step 2)
Then we have to make a Certificate Signing Request (CSR) for the Certificate Authority. We can get this signed by a certifying authority like verisign or thwate

keytool -certreq -keystore ./name.keystore -alias <alias name> -file < CSR file name>.csr

Enter the keystore password.
A < CSR file name>.csr file is generated.

If you are getting the CSR signed by a certifying authority, then skip the next step.
Step 3)
If you are using going to sign using your own CSR by using, for example, OpenSSL, then the steps are:

(This assumes that you are working on a Linux machine with OpenSSL, which can be obtained from www.openssl.org. Follow the procedure to install OpenSSL)
To Sign the certificate:
Make a new directory:

cd usr/local/
mkdir newCA

Copy openssl.cnf and CA.sh
from the OpenSSL apps directory to your new directory (newCA)
cp ../../openssl-0.9.6a/apps/openssl.cnf newCA/
cp ../../openssl-0.9.6a/apps/CA.sh newCA/

Edit your new copy of openssl.cnf and CA.sh:
Set the dir variable to the current directory
dir . # (“.” Specifies current directory where everything is kept)
Set the CATOP variable to the current directory:
CATOP=. # (“.” Specifies current directory where everything is kept)

Create the certificates for Certification Authority:
cd newCA
chmod 744 CA.sh (only if necessary)
CA.sh –newca
ls -l



Send the < CSR file name>.csr file to Certification authority and Creating Server Certificate

cp < CSR file name>.csr /usr/local/newCA
or ftp the < CSR file name>.csr file to the m/c acting as CA.
cd /usr/local/newCA

Create the certificate

openssl x509 -req -in < CSR file name>.csr -out <pem file name>.pem -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365 -outform PEM

Optionally convert the server certificate from PEM encoding to DER for distributing to Clients:

openssl x509 -inform pem -outform der < cacert.pem > cacert.cer

We receive two files, cacert.der, containing the CA's public key and a file <pem file name>.pem, containing the public key signed by the CA using the CA's private key. I will now import these two files into my keystore (the order is important!):

Step 4)
keytool -import -alias <alias name> -file cacert.der -keystore ./name.keystore

Step 5)
keytool -import -alias <alias name> -file <pem file name>.pem -keystore ./name.keystore


Important remark: if you get an exception that looks like this: java.security.NoSuchAlgorithmException: Algorithm TLS not available, take a look at this file: $JAVA_HOME/jre/lib/security/java.security. Check if the com.sun.net.ssl.internal.ssl.Provider is in the list of Providers:
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
security.provider.3=com.sun.rsajca.Provider
security.provider.4=com.sun.crypto.provider.SunJCE
security.provider.5=sun.security.jgss.SunProvider


And we have to add jcert.jar, jnet.jar and jsse.jar files to the $JAVA_HOME /jre/lib/ext folder and set the class path to the same.

Tomcat over SSL (HTTPS)
If we have Tomcat running as a jBoss service, we need to make a few changes in some configuration files:
1. $JBOSS_DIST/server/default/conf/jboss-service.xml
We want JaasSecurityDomain as SecurityManagerClass instead of JaasSecurityManager, so we need to change this in the file:
<!-- JAAS security manager and realm mapping -->
<mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
name="jboss.security:service=JaasSecurityManager">
<attribute name="SecurityManagerClassName">
org.jboss.security.plugins.JaasSecurityDomain
</attribute>
</mbean>

2. $JBOSS_DIST/server/default/conf/jboss-service.xml
Add the below lines after the paragraph mentioned above in jboss-service.xml

<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
name="Security:service=JaasSecurityDomain,domain=TomcatSSL">
<depends>jboss.security:service=JaasSecurityManager</depends>
<constructor>
<arg type="java.lang.String" value="TomcatSSL" />
</constructor>

<attribute name="KeyStoreURL">put the path to your name.keystore file here</attribute>
<attribute name="KeyStorePass">put your name.keystore password here</attribute>
</mbean>

3. $JBOSS_DIST/server/default/deploy/tomcat4-service.xml
This is the final step: We remove the Connector that listens on port 8080 and replace it by one that listens on port 8443

Add the following lines:

<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8443" enableLookups="true" scheme="https" secure="true" debug="0">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
keystoreFile="d:\.keystore" keystorePass="123456" clientAuth="false" protocol="TLS"/>
</Connector>

After:

<!-- A HTTP Connector on port 8080 -->
<Connector className = "org.apache.catalina.connector.http.HttpConnector"
port = "8080" minProcessors = "3" maxProcessors = "10" enableLookups = "true"
acceptCount = "10" debug = "0" connectionTimeout = "60000"/>


When you connect to your server now, don't use port http://localhost:8080, use https://localhost:8443 instead. If you used a selfsigned certificate or if your CA is not known in your browser, a confirmation dialog box will open and ask if you 'trust' the issuer of the certificate.

Cheers!!!
Ujjwal B Soni <baroda, gujarat, india> <+919909981973>
"Helping hands are better than praying lips......"
ramnna jain
Ranch Hand

Joined: Mar 16, 2009
Posts: 129

Ujjwal, it is very helpful information ...

I am using Tomcat server ... can I use this code or I need to follow some other procedure, if yes then could you please provide me this information.

Thank you very much....
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41049
    
  43
The Tomcat documentation has everything: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html


Ping & DNS - my free Android networking tools app
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Https java api security
 
Similar Threads
Using https for login
Authentication over ssl in jsp
Login page
SSL configuration in WEBSPHERE APPLICATION SERVER
Doubts in Mock exam HFSJ