HttpsURLConnection Class
The https protocol is similar to http, but https first establishes a secure channel using SSL/TLS
sockets and then verifies the identity of the peer before
requesting/receiving data. The javax.net.ssl.HttpsURLConnection extends the
java.net.HttpsURLConnection class, and adds support for https-specific features.
See the java.net.URL, java.net.URLConnection, java.net.HttpURLConnection, and javax.net.ssl.HttpURLConnection classes for more information about how https URLs are
constructed and used.
HttpsURLConnection, you can
configure a number of http or https parameters before actually initiating
the network connection using the method URLConnection.connect.
Of particular interest are:
Setting the Assigned SSLSocketFactory
In
some situations, it is desirable to specify the SSLSocketFactory that
an HttpsURLConnection instance uses. For example,
you may want to tunnel through a proxy type that isn't supported by
the default implementation. The new SSLSocketFactory could
return sockets that have already performed all necessary tunneling,
thereby allowing HttpsURLConnection to use additional
proxies.
The HttpsURLConnection class has a
default SSLSocketFactory which is assigned when the
class is loaded. (In particular it is the factory returned by the
method SSLSocketFactory.getDefault.) Future instances
of HttpsURLConnection will inherit the current default SSLSocketFactory until
a new default SSLSocketFactory is assigned to the
class using the static method HttpsURLConnection.setDefaultSSLSocketFactory.
Once an instance of HttpsURLConnection has been created,
the inherited SSLSocketFactory on this instance can
be overriden with a call to the setSSLSocketFactory method.
Note
that changing the default static SSLSocketFactory has
no effect on existing instances of HttpsURLConnections,
a call to the setSSLSocketFactory method is necessary
to change the existing instance.
One can obtain the per-instance
or per-class SSLSocketFactory by making a call to
the getSSLSocketFactory/getDefaultSSLSocketFactory methods,
respectively.
Setting the Assigned HostnameVerifier
If
the hostname of the URL does not match the hostname in the credentials
received as part of the SSL or TLS handshake, it is possible that
URL spoofing has occured. If the implementation cannot determine a
hostname match with reasonable certainty, the SSL implementation will
perform a callback to the instance's assigned HostnameVerifier for
futher checking. The hostname verifier can perform whatever steps
are necessary to make the determination, such as performing alternate
hostname pattern matching or perhaps popping up an interactive dialog
box. An unsuccessful verification by the hostname verifier will close
the connection. (See RFC
2818 for more information regarding hostname verification.)
The setHostnameVerifier/setDefaultHostnameVerifier methods
operate in a similar manner to the setSSLSocketFactory/setDefaultSSLSocketFactory methods,
in that there are HostnameVerifiers assigned on a
per-instance and per-class basis, and the current values can be obtained
by a call to the getHostnameVerifier/ getDefaultHostnameVerifier methods.