Forum Stats

  • 3,780,569 Users
  • 2,254,410 Discussions
  • 7,879,386 Comments

Discussions

Can I use SSL with a servlet?

843811
843811 Member Posts: 49,851
Can I use SSL with a servlet? If so how?

Comments

  • 843811
    843811 Member Posts: 49,851
    You just need to have a web server that supports servlet and SSL. One such web server that is available for free is Jakarta Tomcat, http://jakarta.apache.org/tomcat. The SSL setup instructions should be in the installation docs. If you want to read SSL-related data inside the servlet, check the JSSE samples, or if it's not there I can send you my sample.
  • 843811
    843811 Member Posts: 49,851
    Does the server that comes with the servlet development kit support SSL and could I see some sample code
  • 843811
    843811 Member Posts: 49,851
    I'm not sure that this is what you're asking about, but the Servlet 2.2 and JSP 1.1 APIs are what Tomcat supports, and they don't directly reference any SSL stuff. In its web server portion, the Tomcat web server implements the SSL server socket factory as interfaced in the JSSE API (at least in v3.2.1). Like I said go through the Tomcat installation instructions about SSL and you can figure out how things work. I think the docs don't cover how to create / store / use your server's SSL keys, but that's general knowledge not specific to servlet. If you want to know that ask in another thread. In case you're wondering, you don't have to do anything tricky inside the servlet if you just want to enable SSL. It's done for you in the web server package.

    Inside the servlet itself, you can use the servlet request properties to retrieve ssl-related data. Here's a snippet of that:

    import javax.servlet.*;
    import javax.servlet.http.*;
    import java.util.*;
    import java.io.*;
    import java.security.cert.X509Certificate;
    import java.security.cert.Certificate;

    // JSSE classes
    import javax.net.*;
    import javax.net.ssl.*;
    import com.ibm.net.ssl.*; // or com.sun.net.ssl.*;

    public class Example extends HttpServlet {

    /* cutting to the chase */

    public void doGet(HttpServletRequest req, HttpServletResponse resp)
    throws ServletException, IOException {
    PrintWriter pw = resp.getWriter();
    pw.println( "<HTML><HEAD><TITLE>Example</TITLE></HEAD>" );
    pw.println( " <BODY>" );
    pw.println("<pre>");
    pw.println("Using the getAttribute method");
    Object obj=req.getAttribute("javax.net.ssl.cipher_suite");
    if(obj instanceof String) {
    pw.println("Cipher Suite: " + obj); System.out.println("Servlet detects a cipher suite");
    } else {
    if(obj instanceof String[]) {
    System.out.println("Servlet detects a cipher suite array");
    pw.print("Cipher Suite: { ");
    String[] otherArray= (String[])obj;
    for (int x=0;x<otherArray.length;x++) pw.print(otherArray[x].toString() + " ");
    pw.println("}");
    } else {
    if (obj != null)
    pw.println("SSL Session Attribute javax.net.ssl.cipher_suite, type \""+obj.getClass().getName()+"\":\n"+obj.toString());
    else pw.println ("javax.net.ssl.cipher_suite attribute not set");
    }
    }

    obj = req.getAttribute("javax.net.ssl.session");
    if(obj instanceof SSLSession) {
    System.out.println("Servlet detects an SSL session object");
    pw.println("SSL session:");
    SSLSession session = (SSLSession)obj;
    pw.println("Cipher Suite: " + session.getCipherSuite());
    pw.println("Peer Host: " + session.getPeerHost());
    pw.println("ID: " + new String(session.getId()));
    } else {
    if (obj != null)
    pw.println("SSL Session Attribute javax.net.ssl.session, type \""+obj.getClass().getName()+"\":\n"+obj);
    else pw.println ("javax.net.ssl.session attribute not set");
    }

    obj=req.getAttribute("javax.net.ssl.peer_certificates"); // JSSE recommended attr name
    //works for WebSphere 3.5 but not Tomcat 3.2.1
    if(obj instanceof Certificate[]) {
    System.out.println("Servlet detects a client certificate chain");
    pw.println("Client Certificate Array:");
    Certificate[] array= (Certificate[])obj;
    for (int x=0;x<array.length;x++) pw.println(array[x].toString());
    } else {
    if (obj != null)
    pw.println("Client Certificate Attribute javax.net.ssl.peer_certificates, type \""+obj.getClass().getName()+"\":\n"+obj);
    else pw.println ("javax.net.ssl.peer_certificates attribute not set");
    }

    pw.println("<p>Other attributes:<p>");

    Enumeration attrs = req.getAttributeNames();
    String name = null;
    while(attrs.hasMoreElements()) {
    name = (String)attrs.nextElement();
    if (!name.equals("javax.net.ssl.cipher_suite") && !name.equals("javax.net.ssl.session") && !name.equals("javax.net.ssl.peer_certificates"))
    pw.println("Attribute " + name+", type " + req.getAttribute(name).getClass() + ": "+req.getAttribute(name).toString());
    }
    pw.println("</pre></p>");
    pw.println( " </BODY>" );
    pw.println( "</HTML>" );
    }
    }
This discussion has been closed.