Beware! -> (code)bugs in the "JAVA Developers Almanac"

8 Message(s) by 3 Author(s) originally posted in java security

From: Lion-O

Date: Thursday, November 23, 2006

Sometimes I wonder; do not people /read/ API

<programming> (API, or "application programming interface")
	The interface (calling conventions) by which an {application
	program} accesses {operating system} and other services.  An
	API is defined at {source code} level and provides a level of
	{abstraction} between the application and the {kernel} (or
	other privileged utilities) to ensure the {portability} of the
	code.

	An API can also provide an interface between a {high level
	language} and lower level utilities and services which were
	written without consideration for the {calling conventions}
	supported by compiled languages.  In this case, the API's main
	task may be the translation of parameter lists from one format
	to another and the interpretation of {call-by-value} and
	{call-by-reference} arguments in one or both directions.

	(1995-02-15)

(application programming

1. The art of debugging a blank sheet of paper (or, in these
	days of on-line editing, the art of debugging an empty file).

	2. A pastime similar to banging one's head against a wall, but
	with fewer opportunities for reward.

	3. The most fun you can have with your clothes on (although
	clothes are not mandatory).

	[{Jargon File}]

	(2003-02-12)

interface)docs? I guess not..I'm current

<electronics> The quantity of {charge} per unit time, measured
	in Amperes (Amps, A).  By historical convention, the sign of
	current is positive for currents flowing from positive to
	negative {potential}, but experience indicates that electrons
	are negatively charged and flow in the opposite direction.

	(1995-10-05)

ly in the process

1. <operating system, software> The sequence of states of an
	executing {program}.  A process consists of the program {code}
	(which may be shared with other processes which are executing
	the same program), private data, and the state of the
	{processor}, particularly the values in its {registers}.  It
	may have other associated resources such as a {process
	identifier}, open files, {CPU time} limits, {shared memory},
	{child processes}, and {signal handlers}.

	One process may, on some {platforms}, consist of many
	{threads}.  A {multitasking} {operating system} can run
	multiple processes {concurrently} or in {parallel}, and allows
	a process to spawn "child" processes.

	(2001-06-16)

	2. <business> The sequence of activities, people, and systems
	involved in carrying out some business or achieving some
	desired result.  E.g. software development process, project
	management process, configuration management process.

	(2001-06-16)

to build a webapplication for online
payment and naturally security and encryption

<algorithm, cryptography> Any procedure used in {cryptography}
	to convert {plaintext} into {ciphertext} (encrypted message)
	in order to prevent any but the intended recipient from
	reading that data.

	Schematically, there are two classes of encryption primitives:
	{public-key cryptography} and {private-key cryptography}; they
	are generally used complementarily.
	Public-key encryption algorithms include {RSA};
	private-key algorithms include the obsolescent {Data Encryption
	Standard}, the {Advanced Encryption Standard}, as well as
	{RC4}.

	The {Unix} command {crypt} performs a weak form of encryption.
	Stronger encryption programs include {Pretty Good Privacy} and
	the {GNU Privacy Guard}.

	Other closely related aspects of {cryptograph} include
	{message digests}.

	(2003-04-12)

will become a major deal
for the whole project. Many examples show you how you need to use the
"-DJAVAx.net.ssl.trustStore=<keystore file

<file system> An element of data storage in a {file system}.

	The history of computing is rich in varied kinds of files and
	{file systems}, whether ornate (e.g., {Macintosh file system}
	for a well-known case) or deficient (e.g., many simple
	pre-1980s file systems don't allow {directories}).

	However, the prototypical file has these characteristics:

	* It is a single sequence of bytes (but consider {Macintosh}
	{resource forks}).

	* It has a finite length, unlike, e.g. a {Unix} {device}.

	* It is stored in a {non-volatile storage} medium (but see
	{ramdrive}).

	* It exists (nominally) in a {directory}.

	* It has a name that it can be referred to by in file
	operations, possibly in combination with its {path}.

	Additionally, a file system may associate other information
	with a file, such as {permission} bits or other {file
	attributes}; timestamps for file creation, last revision, and
	last access; revision numbers (a` la VMS), and other kinds of
	{magic}.

	Compare: {document}.

	(1997-04-08)

>" JAVA parameter

<programming> (Or "parameter") A name in a {function} or
	{subroutine} definition that is replaced by, or bound to, the
	corresponding {actual argument} when the function or
	subroutine is called.  In many languages formal arguments
	behave like {local variables} which get initialised on entry.

	See: {argument}.

	(2002-07-02)

in order to
load

1. To copy {data} (often {program} {code} to be {run}) into
	{memory}, possibly {parsing} it somehow in the process.
	E.g. "{WordPerfect} can't load this {RTF} file - are you sure
	it didn't get corrupted in the {download}?"  Opposite of
	{save}.

	2. The degree to which a computer, {network}, or other
	resource is used, sometimes expressed as a percentage of the
	maximum available.  E.g. "What kind of CPU load does that
	program give?", "The network's constantly running at 100%
	load".  Sometimes used, by extension, to mean "to increase the
	level of use of a resource".  E.g. "Loading a spreadsheet
	really loads the CPU".  See also: {load balancing}.

	3. To {install} a piece of {software} onto a system.
	E.g. "The computer guy is gonna come load Excel on my laptop
	for me".  This usage is widely considered to be incorrect.

	(2002-07-02)

your JVM

<language, architecture> (JVM) A specification for software
	which interprets {Java} programs that have been compiled into
	{byte-codes}, and usually stored in a ".class" file.  The JVM
	{instruction set} is {stack}-oriented, with variable
	instruction length.  Unlike some other instruction sets, the
	JVM's supports {object-oriented} programming directly by
	including instructions for object {method} invocation (similar
	to {subroutine} call in other instruction sets).

	The JVM itself is written in {C} and so can be {ported} to run
	on most {platforms}.  It needs {thread} support and {I/O} (for
	{dynamic class loading}).  The Java byte-code is independent
	of the platform.

	There are also some hardware implementations of the JVM.

	{Specification
	(http://www.javasoft.com/docs/books/vmspec/html/VMSpecTOC.doc.html)}.

	{Sun's Java chip
	(http://news.com/News/Item/0,4,9328,00.html)}.

	[Documentation?  Versions?]

	(2000-01-03)

with a keystore to trust. Or they simply set the JVM
system property 'JAVAx.net.ssl.trustStore'
(JAVA.lang.System.setProperty)) to change this value.

I do not want that, my goal

<programming> In {logic programming}, a {predicate} applied to
	its {arguments} which the system attempts to prove by matching
	it against the {clauses} of the program.  A goal may fail or
	it may succeed in one or more ways.

	(1997-07-14)

was to allow a user to dump

<operating system> 1. An undigested and voluminous mass of
	information about a problem or the state of a system,
	especially one routed to the slowest available output device
	(compare {core dump}), and most especially one consisting of
	{hexadecimal} or {octal} {runes} describing the byte-by-byte
	state of memory, mass storage, or some file.  In {elder days},
	debugging was generally done by "groveling over" a dump (see
	{grovel}); increasing use of high-level languages and
	interactive debuggers has made such tedium uncommon, and the
	term "dump" now has a faintly archaic flavour.

	2. A {backup}.  This usage is typical only at large
	{time-sharing} installations.

	{Unix manual page}: dump(1).

	[{Jargon File}]

	(1994-12-01)

a plain
certificate file (plain ASCII

The basis of character sets used in almost all present-day
	computers.  {US-ASCII} uses only the lower seven {bits}
	({character points} 0 to 127) to convey some {control codes},
	space, numbers, most basic punctuation, and unaccented letters
	a-z and A-Z.  More modern coded character sets (e.g.,
	{Latin-1}, {Unicode}) define extensions to ASCII for values
	above 127 for conveying special Latin characters (like
	accented characters, or German ess-tsett), characters from
	non-Latin writing systems (e.g., Cyrillic, or {Han
	characters}), and such desirable {glyphs} as distinct open-
	and close-quotation marks.  ASCII replaced earlier systems
	such as {EBCDIC} and {Baudot}, which used fewer bytes, but
	were each {broken} in their own way.

	Computers are much pickier about spelling than humans; thus,
	hackers need to be very precise when talking about characters,
	and have developed a considerable amount of verbal shorthand
	for them.  Every character has one or more names - some
	formal, some concise, some silly.

	Individual characters are listed in this dictionary with
	alternative names from revision 2.3 of the {Usenet} ASCII
	pronunciation guide in rough order of popularity, including
	their official {ITU-T} names and the particularly silly names
	introduced by {INTERCAL}.

	See {V} {ampersand}, {asterisk}, {back quote}, {backslash},
	{caret}, {colon}, {comma}, {commercial at}, {control-C},
	{dollar}, {dot}, {double quote}, {equals}, {exclamation mark},
	{greater than}, {hash}, {left bracket}, {left parenthesis},
	{less than}, {minus}, {parentheses}, {oblique stroke},
	{percent}, {plus}, {question mark}, {right brace}, {right
	brace}, {right bracket}, {right parenthesis}, {semicolon},
	{single quote}, {space}, {tilde}, {underscore}, {vertical
	bar}, {zero}.

	Some other common usages cause odd overlaps.  The "#", "$",
	">", and "&" characters, for example, are all pronounced "hex"
	in different communities because various assemblers use them
	as a prefix tag for {hexadecimal} constants (in particular,
	"#" in many assembler-programming cultures, "$" in the {6502}
	world, ">" at {Texas Instruments}, and "&" on the {BBC Micro},
	{Acorn Archimedes}, {Sinclair}, and some {Zilog Z80}
	machines).  See also {splat}.

	The inability of {US-ASCII} to correctly represent nearly any
	language other than English became an obvious and intolerable
	{misfeature} as computer use outside the US and UK became the
	rule rather than the exception (see {software rot}).  And so
	national extensions to US-ASCII were developed, such as
	Latin-1.

	Hardware and software from the US still tends to embody the
	assumption that US-ASCII is the universal character set and
	that words of text consist entirely of byte values 65-90 and
	97-122 (A-Z and a-z); this is a major irritant to people who
	want to use a character set suited to their own languages.
	Perversely, though, efforts to solve this problem by
	proliferating sets of national characters produced an
	evolutionary pressure (especially in protocol design, e.g.,
	the {URL} standard) to stick to {US-ASCII} as a subset common
	to all those in use, and therefore to stick to English as the
	language encodable with the common subset of all the ASCII
	dialects.  This basic problem with having a multiplicity of
	national character sets ended up being a prime justification
	for {Unicode}, which was designed, ostensibly, to be the *one*
	ASCII extension anyone will need.

	A system is described as "{eight-bit clean}" if it doesn't
	mangle text with byte values above 127, as some older systems
	did.

	See also {ASCII character table}, {Yu-Shiang Whole Fish}.

	(1995-03-06)

file in PEM

(PEM) {Internet} {electronic mail} which provides
	confidentiality, {authentication} and message integrity using
	various {encryption} methods.

	See also {Pretty Good Privacy}.

format) which is then parsed
by the webapplication and used to secure the actual https connection. If
the certificate matches all is well, and if not.. etc.

Although I can find my way around the API (application programming interface)docs quite well peeking at
some examples never hurt and so I came across the 'JAVA Developers
Almanac' website

<World-Wide Web> (Or "website") Any computer on the
	{Internet} running a {World-Wide Web} {server} process.  A
	particular website is usually identified by the {hostname}
	part of a {URL}.  Multiple hostnames may actually map to the
	same computer in which case they are known as "{virtual
	servers}".

	(2005-07-12)

(http://JAVAalmanac.com/) featuring free example code

<software> Instructions for a computer in some programming
	language, often {machine language}.  The word "code" is often
	used to distinguish instructions from {data} (e.g. "The code
	is marked 'read-only'") whereas "{software}" is used in
	contrast with "{hardware}" and may consist of more than just
	code.

	(2000-04-08)

.

People: BEWARE!! The author seems unable to read the API (application programming interface)docs himself
and as such certain code contains nasty bugs who's cause I can only
conclude to be plain 'PEBCAK' (Problem Exists Between Chair And
Keyboard).

Example... When working with https its rather easy to use the
'HttpsURLConnection' class

1. <programming> The prototype for an {object} in an
	{object-oriented language}; analogous to a {derived type} in a
	{procedural language}.  A class may also be considered to be a
	set of objects which share a common structure and behaviour.
	The structure of a class is determined by the {class
	variables} which represent the {state} of an object of that
	class and the behaviour is given by a set of {methods}
	associated with the class.

	Classes are related in a {class hierarchy}.  One class may be
	a specialisation (a "{subclass}") of another (one of its
	"{superclasses}") or it may be composed of other classes or it
	may use other classes in a {client-server} relationship.  A
	class may be an {abstract class} or a {concrete class}.

	See also {signature}.

	2. <programming> See {type class}.

	3. <networking> One of three types of {Internet addresses}
	distinguished by their most significant bits.

	3. <language> A language developed by the {Andrew Project}.
	It was one of the first attempts to add {object-oriented}
	features to {C}.

	(1995-05-01)

which makes working with https enabled
websites a breeze. The only possible "problem" might be the TrustManager
which demands that the "authorizing certificate" (the CA certificate
which tells you that you can trust the other party) needs to be known
somehow. In order to overcome this they show you how to create your own
trustmanager and then assign it to the used HttpsURLConnection.

They do this by setting up an SSL

1. <language> {Synthesizer Specification Language}.

	2. <language> {Syntax/Semantic Language} (S/SL).

	3. <networking, World-Wide Web> {Secure Sockets Layer}.

	(1996-09-08)

Context, then initializing this using
the new truststore and finally load up the HttpsURLConnection with the
SSLSocketFactory through the SSLContext mentioned earlier.

HOWEVER... Look at this code example (source:
http://JAVAalmanac.com/egs/JAVAx.net.ssl/TrustAll.html):

// Install the all-trusting trust manager
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new JAVA.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (Exception e) {
}

// Now you can access an https URL

<World-Wide Web> (URL, previously "Universal") A {standard}
	way of specifying the location of an object, typically a {web
	page}, on the {Internet}.  Other types of object are described
	below.  URLs are the form of address used on the {World-Wide
	Web}.  They are used in {HTML} documents to specify the target
	of a {hyperlink} which is often another HTML document
	(possibly stored on another computer).

	Here are some example URLs:

	 http://www.w3.org/default.html
	 http://www.acme.co.uk:8080/images/map.gif
	 http://www.foldoc.org/?Uniform+Resource+Locator
	 http://www.w3.org/default.html#Introduction
	 ftp://wuarchive.wustl.edu/mirrors/msdos/graphics/gifkit.zip
	 ftp://spy:secret@ftp.acme.com/pub/topsecret/weapon.tgz
	 mailto:fred@doc.ic.ac.uk
	 news:alt.hypertext
	 telnet://dra.com

	The part before the first colon specifies the access scheme or
	{protocol}.  Commonly implemented schemes include: {ftp},
	{http} (World-Wide Web), {gopher} or {WAIS}.  The "file"
	scheme should only be used to refer to a file on the same
	host.  Other less commonly used schemes include {news},
	{telnet} or mailto ({e-mail}).

	The part after the colon is interpreted according to the
	access scheme.  In general, two slashes after the colon
	introduce a {hostname} (host:port is also valid, or for {FTP}
	user:passwd@host or user@host).  The {port} number is usually
	omitted and defaults to the standard port for the scheme,
	e.g. port 80 for HTTP.

	For an HTTP or FTP URL the next part is a {pathname} which is
	usually related to the pathname of a file on the server.  The
	file can contain any type of data but only certain types are
	interpreted directly by most {browsers}.  These include {HTML}
	and images in {gif} or {jpeg} format.  The file's type is
	given by a {MIME} type in the HTTP headers returned by the
	server, e.g. "text/html", "image/gif", and is usually also
	indicated by its {filename extension}.  A file whose type is
	not recognised directly by the browser may be passed to an
	external "viewer" {application}, e.g. a sound player.

	The last (optional) part of the URL may be a query string
	preceded by "?" or a "fragment identifier" preceded by "#".
	The later indicates a particular position within the specified
	document.

	Only alphanumerics, reserved characters (:/?#"<>%+) used for
	their reserved purposes and "$", "-", "_", ".", "&", "+" are
	safe and may be transmitted unencoded.  Other characters are
	encoded as a "%" followed by two {hexadecimal} digits.  Space
	may also be encoded as "+".  Standard {SGML} "&<name>;"
	character entity encodings (e.g. "&eacute;") are also accepted
	when URLs are embedded in HTML.  The terminating semicolon may
	be omitted if &<name> is followed by a non-letter character.

	{The authoritative W3C URL specification
	(http://www.w3.org/hypertext/WWW/Addressing/Addressing.html)}.

	(2000-02-17)

without having the certificate in
// the truststore
try {
URL url = new URL("https://hostname/index.html");
} catch (MalformedURLException e) {
}

Notice the use of the setDefaultSSLSocketFactory() method

<programming> The name given in {Smalltalk} and other
	{object-oriented languages} to a procedure or routine
	associated with one or more {classes}.  An {object} of a
	certain class knows how to perform actions, e.g. printing
	itself or creating a new instance of itself, rather than the
	function (e.g. printing) knowing how to handle different types
	of object.

	Different classes may define methods with the same name
	(i.e. methods may be {polymorphic}).  The term "method" is used
	both for a named operation, e.g. "PRINT" and also for the code
	which a specific class provides to perform tha
	t operation.

	Most methods operate on objects that are instances of a
	certain class.  Some object-oriented languages call these
	"object methods" to distinguish then from "{class methods}".

	In {Smalltalk}, a method is defined by giving its name,
	documentation, temporary local variables and a sequence of
	expressions separated by "."s.

	(2000-03-22)

... Now read
the API (application programming interface)docs for JAVAx.net.ssl.HttpsURLConnection and you will come
across: "setDefaultSSLSocketFactory - 'Sets the default SSLSocketFactory
inherited by new instance

<programming> An individual {object} of a certain {class}.
	While a class is just the type definition, an actual usage of
	a class is called "instance".  Each instance of a class can
	have different values for its {instance variables}, i.e. its
	{state}.

	(1998-03-06)

s of this class.'".

Reading the description of the method these folks /should/ be using
(setSSLSocketFactory) shows you: "Sets the SSLSocketFactory to be used
when this instance creates sockets for secure https URL connections.".I do not get it.. Is it really /that/ hard to RTFAD (Read The 'Fine' API (application programming interface)
Doc

/dok/ Common spoken and written shorthand for "documentation".
	Often used in the plural "docs" and in the construction "doc
	file" (i.e. documentation available on-line).

	[{Jargon File}]

umentation) ?

Well, I hope I might help some people with this....

--
Groetjes, Peter

.\\ PGP/GPG key: http://www.catslair.org/pubkey.asc

From: sgoo

Date: Friday, November 24, 2006

HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());

I do not think there's any wrong with the code in the book. Here,
setDefaultSSLSocketFactory is a *static* method that can be called on
the class name. If you want to call the none static method
setSSLSocketFactory, you need an object

<object-oriented> In {object-oriented programming}, an
	instance of the data structure and behaviour defined by the
	object's {class}.  Each object has its own values for the
	{instance variables} of its class and can respond to the
	{methods} defined by its class.

	For example, an object of the "Point" class might have
	instance variables "x" and "y" and might respond to the "plot"
	method by drawing a dot on the screen at those coordinates.

	(2004-01-26)

(aka class instance). Where is
that object?

I've no idea how JRE

<language> (JRE) The part of the {Java Development Kit}
	required to run Java programs.  The JRE consists of the {Java
	Virtual Machine}, the {Java} platform core {classes} and
	supporting files.  It does not include the compiler, debugger
	or other tools present in the JDK.  The JRE is the smallest
	set of executables and files that constitute the standard Java
	platform.

	(1998-11-30)

handles an https URL inside. It seems at some
phase an object of the HttpsURLConnection type

<theory, programming> (Or "data type") A set of values from
	which a {variable}, {constant}, {function}, or other
	{expression} may take its value.  A type is a classification
	of data that tells the {compiler} or {interpreter} how the
	programmer intends to use it.  For example, the process and
	result of adding two variables differs greatly according to
	whether they are integers, floating point numbers, or strings.

	Types supported by most programming languages include
	{integers} (usually limited to some range so they will fit in
	one {word} of storage), {Booleans}, {floating point numbers},
	and characters.  {Strings} are also common, and are
	represented as {lists} of characters in some languages.

	If s and t are types, then so is s -> t, the type of
	{functions} from s to t; that is, give them a term of type s,
	functions of type s -> t will return a term of type t.

	Some types are {primitive} - built-in to the language, with no
	visible internal structure - e.g. Boolean; others are
	composite - constructed from one or more other types (of
	either kind) - e.g. {lists}, {arrays}, {structures}, {unions}.
	{Object-oriented programming} extends this with {classes}
	which encapsulate both the structure of a type and the
	operations that can be performed on it.

	Some languages provide {strong typing}, others allow {implicit
	type conversion} and/or {explicit type conversion}.

	(2003-12-22)

will be created to the
real connection things, and this is exactly what the doc calls "new
instances of this class".

Goo

From: Lion-O

Date: Saturday, November 25, 2006

HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
I do not think there's any wrong with the code in the book. Here,
setDefaultSSLSocketFactory is a *static* method that can be called on
the class name.

The setDefaultSSLSocketFactory "Sets the default SSLSocketFactory
inherited by new instances of this class.". Notice how
JAVAx.net.ssl.HttpsURLConnection is an abstract class with a protected
constructor? You do not simply "instantiate" it.

In the book example they define a reference

1. <programming> An {address}, from the point of view of a
	programming language.  A pointer may be typed, with its {type}
	indicating the type of data to which it points.

	The terms "pointer" and "reference" are generally
	interchangable although particular programming languages often
	differentiate these two in subtle ways.  For example, {Perl}
	always calls them references, never pointers.  Conversely, in
	C, "pointer" is used, although "a reference" is often used to
	denote the concept that a pointer implements.

	{Anthony Hoare} once said:

	Pointers are like jumps, leading wildly from one part of the
	data structure to another.  Their introduction into high-level
	languages has been a step backward from which we may never
	recover.

	[C.A.R.Hoare "Hints on Programming Language Design", 1973,
	Prentice-Hall collection of essays and papers by Tony Hoare].

	2. <operating system> (Or "mouse pointer") An {icon}, usually
	a small arrow, that moves on the screen in response to
	movement of a {pointing device}, typically a {mouse}.  The
	pointer shows the user which object on the screen will be
	selected etc. when a mouse button is clicked.

	(1999-07-07)

to it through use of the
JAVA.net.URL.open

1. To prepare to read or write a file.  This usually involves
	checking whether the file already exists and that the user has
	the necessary authorisation to read or write it.  The result
	of a successful open is usually some kind of {capability}
	(e.g. a {Unix} {file descriptor}) - a token that the user
	passes back to the system in order to access the file without
	further checks and finally to close the file.

	2. Abbreviation for "open (or left) parenthesis" - used when
	necessary to eliminate oral ambiguity.  To read aloud the LISP
	form (DEFUN FOO (X) (PLUS X 1)) one might say: "Open defun
	foo, open eks close, open, plus eks one, close close."

	3. Non-proprietary.  An open {standard} is one which can be
	used without payment.

	[{Jargon File}]

	(1995-01-31)

Connection() method and casting its result to a
HttpsURLConnection object. This automaticly implies

<logic> (=> or a thin right arrow) A binary {Boolean} function
	and {logical connective}.  A => B is true unless A is true and
	B is false.  The {truth table} is

		A B | A => B
		----+-------
		F F |   T
		F T |   T
		T F |   F
		T T |   T

	It is surprising at first that A => B is always true if A is
	false, but if X => Y then we would expect that (X & Z) => Y
	for any Z.

	(1995-09-30)

that all further
operations will be using the /current/ object and not any optional new
instances.

Therefor you need setSSLSocketFactory() because the settings need to
apply to new sockets created by the current instance.

--
Groetjes, Peter

.\\ PGP/GPG key: http://www.catslair.org/pubkey.asc

From: sgoo

Date: Saturday, November 25, 2006

wrote in message:

HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
> I do not think there's any wrong with the code in the book. Here,
> setDefaultSSLSocketFactory is a *static* method that can be called on
> the class name.The setDefaultSSLSocketFactory "Sets the default SSLSocketFactory
inherited by new instances of this class.". Notice how
JAVAx.net.ssl.HttpsURLConnection is an abstract class with a protected
constructor? You do not simply "instantiate" it.

I believe this includes new instances of child

<mathematics, data> (Or "child", "successor") In a {tree}, a
	{node} pointed to by a {parent}, i.e. another node closer to
	the {root node}.

	(1998-11-14)

classes of
HttpsURLConnection, which can be instantiated.

In the book example they define a reference to it through use of the
JAVA.net.URL.openConnection() method and casting its result to a
HttpsURLConnection object. This automaticly implies that all further
operations will be using the /current/ object and not any optional new
instances.

I do not see openConnection() called in the book example. Therefore I
think the example shows that by calling
HttpsURLConnection.setDefaultSSLSocketFactory(...) all URLs created
later can "automagically" use the new TrustManager. Maybe you can use
openConnection() and call setSSLSocketFactory(...) on the object you
get. That's another topic. It does not mean this example is incorrect.

Therefor you need setSSLSocketFactory() because the settings need to
apply to new sockets created by the current instance.
--
Groetjes, Peter
.\\ PGP/GPG key:http://www.catslair.org/pubkey.asc

From: Lion-O

Date: Saturday, November 25, 2006

Notice how JAVAx.net.ssl.HttpsURLConnection is an abstract class with
a protected constructor? You do not simply "instantiate" it.

I believe this includes new instances of child classes of
HttpsURLConnection, which can be instantiated.

You are right, but thats not what the book is using hence my comment.

I do not see openConnection() called in the book example. Therefore I
think the example shows that by calling
HttpsURLConnection.setDefaultSSLSocketFactory(...)

Thats incorrect. This method doesn't open a connection.

And once again, the last time I'll repeat

<programming> (Or "do loop") A {loop} construct found in many
	{imperative} programming languages which repeatedly executes
	some instructions while a condition is true.

	It is found in {Pascal}, {BASIC} and {C} ("do" form). The
	condition may be tested with a "while" or "until" {keyword}.

	In constrast to a {while} loop, the "loop body" is executed
	once before the condition is tested.  This is useful when the
	condition depends on the action of the loop body.  In the
	following BASIC loop "Hello" is printed once despite the fact
	that the condition is false;

	 i = 2
	 repeat
	   print "Hello"
	   i = i+1
	 until i>0

	See also {while loop} and {for loop}.

	(1999-05-06)

this, opening a connection
applies to the /current/ instance.

--
Groetjes, Peter

.\\ PGP/GPG key: http://www.catslair.org/pubkey.asc

From: sgoo

Date: Saturday, November 25, 2006

What I mean is, there are 2 ways:

1. Call HttpsURLConnection.setDefaultSSLSocketFactory(...), and all
HTTPS

<protocol> (HTTPS) A variant of {HTTP} used by {Netscape} for
	handling secure transactions.

	The {Netscape Navigator} supports a {URL} {access method},
	"https", for connecting to {HTTP} {servers} using {SSL}.

	"https" is a unique protocol that is simply {SSL} underneath
	{HTTP}.  You need to use "https://" for HTTP {URLs} with
	{SSL}, whereas you continue to use "http://" for HTTP URLs
	without SSL.  The default "https" {port} number is 443, as
	assigned by the {Internet Assigned Numbers Authority}.

	{(http://www.netscape.com/info/security-doc.html)}.

	(1995-01-16)

URL created later can go on
2. Call
((HttpsURLConnection)(myURL.getConnection())).setSSLSocketFactory(...)
and /this/ URL can go on

Either works. You just cannot say the first is wrong if you prefer the
second one.

From: jeff.lanzarotta

Date: Tuesday, November 28, 2006

Interesting that you are building a payment application, as I am
also... I've been really struggling over this SSL stuff... Is there
any good references/examples you can point

1. <unit, text> (Sometimes abbreviated "pt") The unit of
	length used in {typography} to specify text character height,
	{rule} width, and other small measurements.

	There are six slightly different definitions: {Truchet point},
	{Didot point}, {ATA point}, {TeX point}, {Postscript point},
	and {IN point}.

	In Europe, the most commonly used is Didot and in the US, the
	formerly standard ATA point has essentially been replaced by
	the PostScript point due to the demise of traditional
	typesetting systems and rise of desktop computer based systems
	running software such as {QuarkXPress}, {Adobe InDesign} and
	{Adobe Pagemaker}.

	There are 20 {twips} in a point and 12 points in a {pica}
	(known as a "Cicero" in the Didot system).

	{Different point systems
	(http://www.vakcer.com/oberon/dtp/fonts/point.htm)}.

	(2004-12-23)

	2. <hardware> To move a {pointing device} so that the
	on-screen pointer is positioned over a certain object on the
	screen such as a {button} in a {graphical user interface}.  In
	most {window systems} it is then necessary to {click} a
	(physical) button on the pointing device to activate or select
	the object.  In some systems, just pointing to an object is
	known as "mouse-over" {event} which may cause some help text
	(called a "tool tip" in {Windows}) to be displayed.

	(2001-05-21)

me to?

wrote in message:

Sometimes I wonder; do not people /read/ API (application programming interface)docs? I guess not..
I'm currently in the process to build a webapplication for online
payment and naturally security and encryption will become a major deal
for the whole project. Many examples show you how you need to use the
"-DJAVAx.net.ssl.trustStore=<keystore file>" JAVA parameter in order to
load your JVM with a keystore to trust. Or they simply set the JVM
system property 'JAVAx.net.ssl.trustStore'
(JAVA.lang.System.setProperty)) to change this value.
I do not want that, my goal was to allow a user to dump a plain
certificate file (plain ASCII file in PEM format) which is then parsed
by the webapplication and used to secure the actual https connection. If
the certificate matches all is well, and if not.. etc.
Although I can find my way around the API (application programming interface)docs quite well peeking at
some examples never hurt and so I came across the 'JAVA Developers
Almanac' website (http://JAVAalmanac.com/) featuring free example code.
People: BEWARE!! The author seems unable to read the API (application programming interface)docs himself
and as such certain code contains nasty bugs who's cause I can only
conclude to be plain 'PEBCAK' (Problem Exists Between Chair And
Keyboard).
Example... When working with https its rather easy to use the
'HttpsURLConnection' class which makes working with https enabled
websites a breeze. The only possible "problem" might be the TrustManager
which demands that the "authorizing certificate" (the CA certificate
which tells you that you can trust the other party) needs to be known
somehow. In order to overcome this they show you how to create your own
trustmanager and then assign it to the used HttpsURLConnection.
They do this by setting up an SSLContext, then initializing this using
the new truststore and finally load up the HttpsURLConnection with the
SSLSocketFactory through the SSLContext mentioned earlier.
HOWEVER... Look at this code example (source:
http://JAVAalmanac.com/egs/JAVAx.net.ssl/TrustAll.html):
// Install the all-trusting trust manager
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new JAVA.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (Exception e) {
}
// Now you can access an https URL without having the certificate in
// the truststore
try {
URL url = new URL("https://hostname/index.html");
} catch (MalformedURLException e) {
}
Notice the use of the setDefaultSSLSocketFactory() method... Now read
the API (application programming interface)docs for JAVAx.net.ssl.HttpsURLConnection and you will come
across: "setDefaultSSLSocketFactory - 'Sets the default SSLSocketFactory
inherited by new instances of this class.'".
Reading the description of the method these folks /should/ be using
(setSSLSocketFactory) shows you: "Sets the SSLSocketFactory to be used
when this instance creates sockets for secure https URL connections.".
I do not get it.. Is it really /that/ hard to RTFAD (Read The 'Fine' API (application programming interface)
Documentation) ?
Well, I hope I might help some people with this....
--
Groetjes, Peter
.\\ PGP/GPG key: http://www.catslair.org/pubkey.asc

From: jeff.lanzarotta

Date: Tuesday, November 28, 2006

The processor that I am using gave me a URL 'https://xxx.yyy.zzz' to
connect to and a port

1. <networking> A logical channel or channel endpoint in a
	communications system.  The {Transmission Control Protocol}
	and {User Datagram Protocol} {transport layer} protocols used
	on {Ethernet} use port numbers to distinguish between
	(demultiplex) different logical channels on the same {network
	interface} on a computer.

	Each {application program} has a unique port number associated
	with it, defined in /etc/services or the {Network Information
	Service} "services" database.  Some {protocols}, e.g. {telnet}
	and {HTTP} (which is actually a special form of telnet) have
	default ports specified as above but can use other ports as
	well.

	Some port numbers are defined in {RFC 3232} (which replaces
	RFC 1700).  Ports are now divided into: "Well Known" or
	"Privileged", and "Ephemeral" or "Unprivileged" (comprising
	"Registered", "Dynamic", "Private").

	(2004-12-30)

	2. <operating system, programming> To translate or modify
	{software} to run on a different {platform}, or the results of
	doing so.  The {portability} of the software determines how
	easy it is to port.

	3. <language> An {imperative} language descended from {Zed}
	from {Waterloo Microsystems} (now {Hayes} Canada) ca. 1979.

	["Port Language" document in the Waterloo Port Development
	System].

	(2002-06-19)

number. I've had no luck in finding a way to
wrote in message:

Sometimes I wonder; do not people /read/ API (application programming interface)docs? I guess not..
I'm currently in the process to build a webapplication for online
payment and naturally security and encryption will become a major deal
for the whole project. Many examples show you how you need to use the
"-DJAVAx.net.ssl.trustStore=<keystore file>" JAVA parameter in order to
load your JVM with a keystore to trust. Or they simply set the JVM
system property 'JAVAx.net.ssl.trustStore'
(JAVA.lang.System.setProperty)) to change this value.
I do not want that, my goal was to allow a user to dump a plain
certificate file (plain ASCII file in PEM format) which is then parsed
by the webapplication and used to secure the actual https connection. If
the certificate matches all is well, and if not.. etc.
Although I can find my way around the API (application programming interface)docs quite well peeking at
some examples never hurt and so I came across the 'JAVA Developers
Almanac' website (http://JAVAalmanac.com/) featuring free example code.
People: BEWARE!! The author seems unable to read the API (application programming interface)docs himself
and as such certain code contains nasty bugs who's cause I can only
conclude to be plain 'PEBCAK' (Problem Exists Between Chair And
Keyboard).
Example... When working with https its rather easy to use the
'HttpsURLConnection' class which makes working with https enabled
websites a breeze. The only possible "problem" might be the TrustManager
which demands that the "authorizing certificate" (the CA certificate
which tells you that you can trust the other party) needs to be known
somehow. In order to overcome this they show you how to create your own
trustmanager and then assign it to the used HttpsURLConnection.
They do this by setting up an SSLContext, then initializing this using
the new truststore and finally load up the HttpsURLConnection with the
SSLSocketFactory through the SSLContext mentioned earlier.
HOWEVER... Look at this code example (source:
http://JAVAalmanac.com/egs/JAVAx.net.ssl/TrustAll.html):
// Install the all-trusting trust manager
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new JAVA.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (Exception e) {
}
// Now you can access an https URL without having the certificate in
// the truststore
try {
URL url = new URL("https://hostname/index.html");
} catch (MalformedURLException e) {
}
Notice the use of the setDefaultSSLSocketFactory() method... Now read
the API (application programming interface)docs for JAVAx.net.ssl.HttpsURLConnection and you will come
across: "setDefaultSSLSocketFactory - 'Sets the default SSLSocketFactory
inherited by new instances of this class.'".
Reading the description of the method these folks /should/ be using
(setSSLSocketFactory) shows you: "Sets the SSLSocketFactory to be used
when this instance creates sockets for secure https URL connections.".
I do not get it.. Is it really /that/ hard to RTFAD (Read The 'Fine' API (application programming interface)
Documentation) ?
Well, I hope I might help some people with this....
--
Groetjes, Peter
.\\ PGP/GPG key: http://www.catslair.org/pubkey.asc

Next Message: Adding certificate to trusted certificates using an applet?