[ Java 代碼範本 ] HttpClient4.x: Making HTTPS call using Apache HttpClient

Source From Here 
Preface 
This post details about making Secure HTTP (HTTPs) call from a server using Apache HTTPClient library. 

Trust any certificate approach (Simple, not recommended for production code.) 
The simplest will be to ignore the ssl certificates and to trust any connection. This approach is not acceptable for production code as it defeat the purpose of using HTTPS. However in some use cases if you want to try out something quickly you can go with this route. 

view plaincopy to clipboardprint?

1. import javax.net.ssl.SSLContext;  
2. import javax.net.ssl.X509TrustManager;  
3.   
4. import org.apache.http.client.HttpClient;  
5. import org.apache.http.conn.ssl.SSLConnectionSocketFactory;  
6. import org.apache.http.conn.ssl.SSLContexts;  
7.   
8. import org.apache.http.impl.client.CloseableHttpClient;  
9. import org.apache.http.impl.client.HttpClients;  
10.   
11. import java.security.SecureRandom;  
12.   
13. public class HttpClientFactory {  
14.   
15.     private static CloseableHttpClient client;  
16.   
17.     public static HttpClient getHttpsClient() throws Exception {  
18.   
19.         if (client != null) {  
20.             return client;  
21.         }  
22.         SSLContext sslcontext = SSLContexts.custom().useSSL().build();  
23.         sslcontext.init(null, new X509TrustManager[]{new HttpsTrustManager()}, new SecureRandom());  
24.         SSLConnectionSocketFactory factory = new SSLConnectionSocketFactory(sslcontext,  
25.                 SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);  
26.         client = HttpClients.custom().setSSLSocketFactory(factory).build();  
27.   
28.         return client;  
29.     }  
30.   
31.     public static void releaseInstance() {  
32.         client = null;  
33.     }  
34. }  

The above method will return httpClient object which can be used to make any HTTPS calls. Performing HTTPS call is no different from making HTTP call from now on. So you can have a factory with two methods, one for secure and one for non-secure. Here we have used HttpsTrustManager, which will do nothing more than trusing all clients. This is done by simply implementing X509TrustManager and auto generating all the methods. 

view plaincopy to clipboardprint?

1. import java.security.cert.CertificateException;  
2. import java.security.cert.X509Certificate;  
3.   
4. import javax.net.ssl.X509TrustManager;  
5.   
6. public class HttpsTrustManager implements X509TrustManager {  
7.   
8.     @Override  
9.     public void checkClientTrusted(X509Certificate[] arg0, String arg1)  
10.             throws CertificateException {  
11.         // TODO Auto-generated method stub  
12.   
13.     }  
14.   
15.     @Override  
16.     public void checkServerTrusted(X509Certificate[] arg0, String arg1)  
17.             throws CertificateException {  
18.         // TODO Auto-generated method stub  
19.   
20.     }  
21.   
22.     @Override  
23.     public X509Certificate[] getAcceptedIssuers() {  
24.         return new X509Certificate[]{};  
25.     }  
26.   
27. }  

Importing a keystore (Recommended) 
If you are writing produciton quality code, then you should be looking at this approach. Have a all the keys in your application and create a SSLContext using those keystores. The created SSLContext can then be injected to SSLConnectionSocketFactory and remaining steps will be the same. 

view plaincopy to clipboardprint?

1. import javax.net.ssl.SSLContext;  
2.   
3. import org.apache.http.client.HttpClient;  
4. import org.apache.http.conn.ssl.SSLConnectionSocketFactory;  
5. import org.apache.http.conn.ssl.SSLContexts;  
6.   
7. import org.apache.http.impl.client.CloseableHttpClient;  
8. import org.apache.http.impl.client.HttpClients;  
9. import java.io.File;  
10. import java.io.FileInputStream;  
11. import java.io.IOException;  
12. import java.security.KeyStore;  
13. import java.security.KeyStoreException;  
14. import java.security.NoSuchAlgorithmException;  
15. import java.security.cert.CertificateException;  
16. import java.security.KeyManagementException;  
17.   
18. public class HttpClientFactory {  
19.   
20.     private static CloseableHttpClient client;  
21.   
22.     public static HttpClient getHttpsClient() throws Exception {  
23.   
24.         if (client != null) {  
25.             return client;  
26.         }  
27.         SSLContext sslcontext = getSSLContext();  
28.         SSLConnectionSocketFactory factory = new SSLConnectionSocketFactory(sslcontext,  
29.                 SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);  
30.         client = HttpClients.custom().setSSLSocketFactory(factory).build();  
31.   
32.         return client;  
33.     }  
34.   
35.     public static void releaseInstance() {  
36.         client = null;  
37.     }  
38.   
39.     private SSLContext getSSLContext() throws KeyStoreException,   
40.     NoSuchAlgorithmException, CertificateException, IOException, KeyManagementException {  
41.         KeyStore trustStore  = KeyStore.getInstance(KeyStore.getDefaultType());  
42.         FileInputStream instream = new FileInputStream(new File("my.keystore"));  
43.         try {  
44.             trustStore.load(instream, "nopassword".toCharArray());  
45.         } finally {  
46.             instream.close();  
47.         }  
48.         return SSLContexts.custom()  
49.                 .loadTrustMaterial(trustStore)  
50.                 .build();  
51.     }  
52. }  

The only difference between the two approaches are the way the SSLContext been created.