Win a copy of Five Lines of Code this week in the OO, Patterns, UML and Refactoring forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
  • Piet Souris
  • Frits Walraven
  • Carey Brown

Https java api security

Ranch Hand
Posts: 129
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have an application and I want to provide security at the time of login and form submission.

Is there any java api to provide secure(https) login or form submission.

If any please provide me links... thanks in advance...
Ranch Hand
Posts: 405
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Which application server are you using ?

I did a configuration in jboss to enable https authentication.

Check out below steps to enable https in jboss :

Step 1)
First of all, we are going to make a keystore. This is the place we are going to store the keys in on the serverside. We will use the Java-tool keytool for this. The algorithm used here is RSA.

At the selected directory:
keytool -genkey -alias <alias name> -keyalg RSA -keystore ./name.keystore

Fill in all the information that is asked.
A keystore with the name name.keystore is generated.

Step 2)
Then we have to make a Certificate Signing Request (CSR) for the Certificate Authority. We can get this signed by a certifying authority like verisign or thwate

keytool -certreq -keystore ./name.keystore -alias <alias name> -file < CSR file name>.csr

Enter the keystore password.
A < CSR file name>.csr file is generated.

If you are getting the CSR signed by a certifying authority, then skip the next step.
Step 3)
If you are using going to sign using your own CSR by using, for example, OpenSSL, then the steps are:

(This assumes that you are working on a Linux machine with OpenSSL, which can be obtained from Follow the procedure to install OpenSSL)
To Sign the certificate:
Make a new directory:

cd usr/local/
mkdir newCA

Copy openssl.cnf and
from the OpenSSL apps directory to your new directory (newCA)
cp ../../openssl-0.9.6a/apps/openssl.cnf newCA/
cp ../../openssl-0.9.6a/apps/ newCA/

Edit your new copy of openssl.cnf and
Set the dir variable to the current directory
dir . # (“.” Specifies current directory where everything is kept)
Set the CATOP variable to the current directory:
CATOP=. # (“.” Specifies current directory where everything is kept)

Create the certificates for Certification Authority:
cd newCA
chmod 744 (only if necessary) –newca
ls -l

Send the < CSR file name>.csr file to Certification authority and Creating Server Certificate

cp < CSR file name>.csr /usr/local/newCA
or ftp the < CSR file name>.csr file to the m/c acting as CA.
cd /usr/local/newCA

Create the certificate

openssl x509 -req -in < CSR file name>.csr -out <pem file name>.pem -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -days 365 -outform PEM

Optionally convert the server certificate from PEM encoding to DER for distributing to Clients:

openssl x509 -inform pem -outform der < cacert.pem > cacert.cer

We receive two files, cacert.der, containing the CA's public key and a file <pem file name>.pem, containing the public key signed by the CA using the CA's private key. I will now import these two files into my keystore (the order is important!):

Step 4)
keytool -import -alias <alias name> -file cacert.der -keystore ./name.keystore

Step 5)
keytool -import -alias <alias name> -file <pem file name>.pem -keystore ./name.keystore

Important remark: if you get an exception that looks like this: Algorithm TLS not available, take a look at this file: $JAVA_HOME/jre/lib/security/ Check if the is in the list of Providers:
# List of providers and their preference orders (see above):

And we have to add jcert.jar, jnet.jar and jsse.jar files to the $JAVA_HOME /jre/lib/ext folder and set the class path to the same.

Tomcat over SSL (HTTPS)
If we have Tomcat running as a jBoss service, we need to make a few changes in some configuration files:
1. $JBOSS_DIST/server/default/conf/jboss-service.xml
We want JaasSecurityDomain as SecurityManagerClass instead of JaasSecurityManager, so we need to change this in the file:
<!-- JAAS security manager and realm mapping -->
<mbean code=""
<attribute name="SecurityManagerClassName">

2. $JBOSS_DIST/server/default/conf/jboss-service.xml
Add the below lines after the paragraph mentioned above in jboss-service.xml

<mbean code=""
<arg type="java.lang.String" value="TomcatSSL" />

<attribute name="KeyStoreURL">put the path to your name.keystore file here</attribute>
<attribute name="KeyStorePass">put your name.keystore password here</attribute>

3. $JBOSS_DIST/server/default/deploy/tomcat4-service.xml
This is the final step: We remove the Connector that listens on port 8080 and replace it by one that listens on port 8443

Add the following lines:

<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8443" enableLookups="true" scheme="https" secure="true" debug="0">
<Factory className=""
keystoreFile="d:\.keystore" keystorePass="123456" clientAuth="false" protocol="TLS"/>


<!-- A HTTP Connector on port 8080 -->
<Connector className = "org.apache.catalina.connector.http.HttpConnector"
port = "8080" minProcessors = "3" maxProcessors = "10" enableLookups = "true"
acceptCount = "10" debug = "0" connectionTimeout = "60000"/>

When you connect to your server now, don't use port http://localhost:8080, use https://localhost:8443 instead. If you used a selfsigned certificate or if your CA is not known in your browser, a confirmation dialog box will open and ask if you 'trust' the issuer of the certificate.
ramnna jain
Ranch Hand
Posts: 129
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ujjwal, it is very helpful information ...

I am using Tomcat server ... can I use this code or I need to follow some other procedure, if yes then could you please provide me this information.

Thank you very much....
Posts: 43016
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The Tomcat documentation has everything:
Uh oh, we're definitely being carded. Here, show him this tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
    Bookmark Topic Watch Topic
  • New Topic