HttpsURLConnection show Security Warning Dialog rather than catch Exception

Question

I make an HttpsURLConnection as below:

        try
        {
            URL url = new URL( host );
            HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
            connection.connect();
            logger.debug( httpURLConnection.getResponseCode() == HttpURLConnection.HTTP_OK );
        }
        catch ( Exception ex )
        {
            logger.error( ex.getMessage() );
        }

The host I tested doesn't have a valid certificate, so when I tested within Eclipse, it catch SSLHandshakeException which its fine.

However, when I deployed as WebStart, it doesn't go to catch clause but showing me the warning dialog instead:

If user click Continue, it passes the connect() successfully.

Is there anyway that I can catch the exception instead allowing User to click Continue from this dialog ?

score 2 · Answer 1 · answered Nov 25 '16 at 07:38

Java WebStart plugs its own SSLSocketFactory

From https://docs.oracle.com/javase/tutorial/deployment/webstart/security.html

Dynamic Downloading of HTTPS Certificates

Java Web Start dynamically imports certificates as browsers typically do. To do this, Java Web Start sets its own https handler, using the java.protocol.handler.pkgs system properties, to initialize defaults for the SSLSocketFactory and HostnameVerifier. It sets the defaults with the methods HttpsURLConnection.setDefaultSSLSocketFactory and HttpsURLConnection.setDefaultHostnameVerifier.

If your application uses these two methods, ensure that they are invoked after the Java Web Start initializes the https handler, otherwise your custom handler will be replaced by the Java Web Start default handler.

You can ensure that your own customized SSLSocketFactory and HostnameVerifiter are used by doing one of the following:

Install your own https handler, to replace the Java Web Start https handler. In your application, invoke HttpsURLConnection.setDefaultSSLSocketFactory or HttpsURLConnection.setDefaultHostnameVerifier only after the first https URL object is created, which executes the Java Web Start https handler initialization code first.

You may be able to revert in your code with

SSLContext context = SSLContext.getInstance("TLS");
HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());

I did not check the mileage how to get the original SSLContext, you may need to dig deeper.

thanks, very helpful information, now i know why it doesnt work as expected with Webstart. However, i havent tried it out since i found another workaround. Will dig deeper this approach. — Doan Linh, Dec 01 '16 at 02:35

score 2 · Accepted Answer · answered Nov 26 '16 at 17:31

2

To disable the dialog use this:

connection.setAllowUserInteraction(false);

Now you should get the exception immediately if the JVM is not happy with the certificate.

answered Nov 26 '16 at 17:31

Dr.Haribo

1,778
1
31
43

it looks like a valid setting, thanks! unfortunately, i will try it out another time since I already found a workaround by not calling "connect" but making an API request (like ping) instead and it catches exception successfully if failure – Doan Linh Dec 01 '16 at 02:37

HttpsURLConnection show Security Warning Dialog rather than catch Exception

2 Answers2