Apache HttpClient 的 HTTPS 调用实现
转载
本文将详细介绍如何使用 Apache HTTPClient 库来进行安全的 HTTP(HTTPs) 调用。
最简单的办法当然是忽视 ssl 证书并信任任何连接。但这种方式对于生产代码是不能接受的,因为它违背了使用 HTTPS 的初衷。尽管如此,在某些场景下,如果你想尽快尝试 HTTPS 的话你也可以选择这种方式。
信任任意证书 (简单,但不建议用于生产代码)
import javax.net.ssl.SSLContext;
import javax.net.ssl.X509TrustManager;
import org.apache.http.client.HttpClient;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.SSLContexts;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import java.security.SecureRandom;
public class HttpClientFactory {
private static CloseableHttpClient client;
public static HttpClient getHttpsClient() throws Exception {
if (client != null) {
return client;
}
SSLContext sslcontext = SSLContexts.custom().useSSL().build();
sslcontext.init(null, new X509TrustManager[]{new HttpsTrustManager()}, new SecureRandom());
SSLConnectionSocketFactory factory = new SSLConnectionSocketFactory(sslcontext,
SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
client = HttpClients.custom().setSSLSocketFactory(factory).build();
return client;
}
public static void releaseInstance() {
client = null;
}
}
以上方法将会返回一个 httpClient 对象,它可用于进行任意 HTTPS 调用。从此以后,进行 HTTPS 调用和 HTTP 调用将一般无二。因此,你可以创建一个有两个方法的工厂,一个用于安全调用另一个用于非安全调用。
下面是上述代码中使用的 HttpsTrustManager,它除了信任所有客户端之外什么也不做。它只是简单的实现了 X509TrustManager 并自动生成了所有的方法。
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.X509TrustManager;
public class HttpsTrustManager implements X509TrustManager {
@Override
public void checkClientTrusted(X509Certificate[] arg0, String arg1)
throws CertificateException {
// TODO Auto-generated method stub
}
@Override
public void checkServerTrusted(X509Certificate[] arg0, String arg1)
throws CertificateException {
// TODO Auto-generated method stub
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[]{};
}
}
导入 keystore (推荐)
如果你写的是生产质量的代码,那你要好好看一下这种方式了。这里会加载你应用里的所有的 key 并使用这些 keystore 创建了一个 SSLContext。被创建的 SSLContext 会被注入给 SSLConnectionSocketFactory,剩下的步骤就和上面的方式一模一样了。
import javax.net.ssl.SSLContext;
import org.apache.http.client.HttpClient;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.SSLContexts;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.KeyManagementException;
public class HttpClientFactory {
private static CloseableHttpClient client;
public static HttpClient getHttpsClient() throws Exception {
if (client != null) {
return client;
}
SSLContext sslcontext = getSSLContext();
SSLConnectionSocketFactory factory = new SSLConnectionSocketFactory(sslcontext,
SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
client = HttpClients.custom().setSSLSocketFactory(factory).build();
return client;
}
public static void releaseInstance() {
client = null;
}
private SSLContext getSSLContext() throws KeyStoreException,
NoSuchAlgorithmException, CertificateException, IOException, KeyManagementException {
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream instream = new FileInputStream(new File("my.keystore"));
try {
trustStore.load(instream, "nopassword".toCharArray());
} finally {
instream.close();
}
return SSLContexts.custom()
.loadTrustMaterial(trustStore)
.build();
}
}
以上两种方式唯一的不同点在于 SSLContext 的创建过程不一样。
