How HTTPS Works in Java Plug-in

Print-friendly Version

Introduction

Enterprise customers may develop Java applets or JavaBeans for electronic commerce applications where credit cards are involved. Encryption is an absolute requirement to make data exchanged between the client and the server more secure.

HTTPS is a secure HTTP protocol that is used widely in Internet/intranet environments for exchanging secure information between client and server. HTTPS allows applets or beans to be downloaded into the web browser through a secure connection and these applets or beans to make secure connections to the server.

Java Plug-in 1.2.2 has basic HTTPS support. This document specifies how HTTPS is supported in different browser environments when Java Plug-in is used.

How Java Plug-in supports HTTPS

Java Plug-in supports Internet Explorer and Netscape Navigator on various Win32 platforms and Solaris platforms. Because of legal and export control requirements, there are many complications to adding HTTPS support directly into Java Plug-in. Instead, Java Plug-in leverages the HTTPS support in the browser and uses the browser's application interface (API) for making HTTPS connections.

Because of various degrees of HTTPS support in different browsers at the API level, HTTPS support in Java Plug-in is currently limited to two types of requests: GET and POST. The GET method is used for retrieving information identified by a given URL, while the POST method is used for requesting the origin server accept the entity enclosed in the request. Although HTTPS support in Java Plug-in does not support the CONNECT method directly, HTTPS requests can still go through a proxy server transparently by HTTP tunneling supported by the browser.

The easiest way to leverage HTTPS support in Java Plug-in is to create a HTTPS URL object as follows:

URL url = new URL("https://myhost.com/index.html");
URLConnection conn = url.openConnection();

// Retrieve information from HTTPS: GET
InputStream istream = conn.getInputStream();
while ((ch = istream.read()) != -1) {
    ........
}
istream.close();

........

URL url = new URL("https://myhost.com/cgi-bin/sendData");
URLConnection conn = url.openConnection();

// Sending information through HTTPS: POST
OutputStream ostream = conn.getOutputStream();
ostream.write(....);
......
ostream.close();

Please notice that the URLConnection object returned from url.openConnection() is type java.net.URLConnection, not java.net.HttpURLConnection. As a result, the operations that can be performed on this URLConnection object are minimal.

The request and response headers are available in all versions of Internet Explorer through one of the following java.net.URLConnection methods:

• getHeaderField
• getContentEncoding
• getContentLength
• getContentType
• getDate
• getExpiration
• getLastModified

Due to browser API limitations in Netscape, the request and response headers are not available. Some of the methods listed above (getContentType and getContentLength) will return some information based on a "best guess" algorithm.

HTTPS usually goes through SSL (Secure socket layer) to make a secure connection. While HTTPS is supported in Java Plug-in and SSL is used internally, the API for accessing SSL is not exposed in Java Plug-in. In order to access SSL directly in the applet with Java Plug-in, an SSL Java Extension needs to be installed in the system. If an SSL Java Extension is installed with Java Plug-in, Java Plug-in will take advantage of it to make secure connections instead of using the browser's API. However, note that Java Plug-in currently does not ship with an SSL Java Extension. To learn more about an SSL Java Extension, please consult your Java security vendor.

HTTPS policy support in Java Plug-in

Java Plug-in supports all HTTPS policies that are supported in both Internet Explorer and Netscape Navigator. The HTTPS policy can be configured in the user preference dialog in the browser. Here are some examples of the HTTPS settings that are supported by the browsers:

• SSL version support (SSL 3.0/2.0)
• Cookie support
• Caching support
• Warning dialog support between HTTP/HTTPS session
• Proxy Configuration support
• Certificate support and Client Authentication

For security reasons, no HTTPS requests are cached in the disk by Java Plug-in by default. This policy can be changed in the user preference dialog in the browser.

Java Plug-in provides full proxy configuration support for HTTPS. Proxy configuration is retrieved from the browser during the startup of Java Plug-in. Users can also override the proxy configuration setting for HTTPS in the Java Plug-in Control Panel.

Client Authentication is required for connecting to some secure servers through HTTPS. Certificates may be required on the client side for authentication purposes. Since Java Plug-in takes advantage of the browser's API for supporting HTTPS, certificates in the browser will be utilized and managed by the browser in the same way as when HTTPS requests are made from Java Plug-in.

When the HTTPS policy is changed in the browser, it will take effect the next time an HTTPS URL connection needs to be made from Java Plug-in.

For more information about HTTPS policy in your browser, please consult the user guide for your browser.

Conclusion

Users can take advantage of Java Plug-in HTTPS support in the browser for e-commerce applications transparently whenever an HTTPS connection is needed. Moreover, Java Plug-in recognizes and works seamlessly in your intranet environment with your browser's HTTPS policy.