Zero trust manager by default for java https connection


#1

sample bellow shows how to ommit https certificate validation for Java https connection, it this sample https trust manager does nothing making all https connection valid , test only for JDK 1.6

<script><![CDATA[

private javax.net.ssl.TrustManager[ ] get_trust_mgr() {
javax.net.ssl.TrustManager[ ] certs = new javax.net.ssl.TrustManager[ ] {
new javax.net.ssl.X509TrustManager() {
public java.security.cert.X509Certificate[ ] getAcceptedIssuers() { return null; }
public void checkClientTrusted(java.security.cert.X509Certificate[ ] certs, String t) { }
public void checkServerTrusted(java.security.cert.X509Certificate[ ] certs, String t) { }
}
};
return certs;
}
javax.net.ssl.SSLContext ssl_ctx = javax.net.ssl.SSLContext.getInstance("TLS");
javax.net.ssl.TrustManager[ ] trust_mgr = get_trust_mgr();
ssl_ctx.init(null, // key manager
trust_mgr, // trust manager
new java.security.SecureRandom()); // random number generator
javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(ssl_ctx.getSocketFactory());

String urlParameters = "&username=username&password=PASSWORD&LogOn=Log On";
String request = "https://corp.dcra.dc.gov/Account.aspx/LogOn";
URL url = new URL(request);
HttpURLConnection connection = (HttpURLConnection) url.openConnection();

connection.setHostnameVerifier(new javax.net.ssl.HostnameVerifier() {
public boolean verify(String host, javax.net.ssl.SSLSession sess) {
return true;
}
});

connection.setDoOutput(true);
connection.setDoInput(true);
connection.setInstanceFollowRedirects(false);
connection.setRequestMethod("POST");
connection.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0");
connection.setRequestProperty("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
connection.setRequestProperty("Host", "corp.dcra.dc.gov");
connection.setRequestProperty("Origin", "https://corp.dcra.dc.gov");
connection.setRequestProperty("Referer", "https://corp.dcra.dc.gov/Account.aspx/LogOn?ReturnUrl=%2fHome.aspx%2fProcessRequest");
connection.setRequestProperty("Content-Length", Integer.toString(urlParameters.length()));
connection.setUseCaches(false);
DataOutputStream wr = new DataOutputStream(connection.getOutputStream());
wr.writeBytes(urlParameters);
wr.flush();
wr.close();

String sessionCookie = connection.getHeaderField("Set-Cookie");
Map map = connection.getHeaderFields();
List cookiesList = (List) map.get("Set-Cookie");

cookies = ""; 

for (String cookie1 : cookiesList) {
cookies = cookies + cookie1.replaceAll("path=/; HttpOnly", "");
}
sys.defineVariable("cookies", cookies, true);

connection.disconnect();
]]></script>