I need to call a secured web service (https). using Java (or even any other prog lang).
Do I need to do any extra steps rather than the usual steps to create a client for HTTP web service?
EDIT: please I need answer to this question too : If not, So how my client do decrypte the encrypted message sent from the web service??
Thanks
The Java URL api should handle this for you. There may be issues with certificates if the server certificate signer is not part of the standard Java CA set, but that's unlikely (and not too hard to fix).
Other languages will almost certainly have similar support.
The socket layer will handle all encryption and decryption for you.
If your web-service doesn't require client-certificate authentication, there's not so much to change (except the trust managers/trust stores, but you may tend to use the same ones for your overall application).
If your service wants client-certificate authentication, you'll need extra configuration steps. For example, if you're using Axis, you could try this approach: Choosing SSL client certificate in Java
(How this is done will depend on the language and the framework you're using.)
EDIT: Regarding "If not, So how my client do decrypte the encrypted message sent from the web service?", this is done by the SSL/TLS stack. Most HTTP libraries that support HTTPS will use the platform's SSL/TLS stack (JSSE in Java) more or less transparently: that's where the encryption/decryption will occur. If you're using a web-service framework, it's likely to have an API to configure the SSL/TLS trust settings (or which client-certificate to use), although it's also likely to use the system's default if you don't do anything.
Note that your question is about web-services secured with HTTPS, which only implies transport-level security (which is more or less transparently handled by the SSL/TLS stack of the platform you'll be using). Some web-services can also be secured using message-level security, in which case the framework on both client and server side will need to support this. This will certainly require more configuration. (In some cases, you may find message-level security implemented in conjunction with transport-level security, that is, exchanging signed or encrypted payload on top of HTTPS.)
理论上没有。HTTPS 基本上是基于 SSL/TLS 的 HTTP。因此,由于 SSL/TLS 都位于传输层,所以一切都应该与 HTTP 完全相同。现在,您将必须为服务器获取证书。
你不需要做任何事情。传输层自动处理这一切,对您的应用程序层没有任何麻烦。这意味着,您的程序无法区分常规 HTTP 和 HTTPS。
For the most part, HTTP clients will “just work” with HTTPS.
Of course, the only way to know for sure is to try it: take your favourite HTTP client and change the URL from http:// to https://.
正如其他人所指出的那样,它应该可以正常工作,除非您在服务器上对证书进行了自签名。在这种情况下,java 会抱怨,您需要将服务器密钥导入本地客户端密钥库。如果您需要将客户端软件部署到许多地方,这显然不是一个很好的解决方案,因为您需要在每个部署的客户端上执行此操作。在这种情况下,您可能希望在服务器上获得正确的证书。
您可以使用此处的代码信任 java 中的任何证书:http ://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html但这确实让您在中间攻击中向人开放,所以它纯粹是为发展。
如果客户端是 Windows .NET 应用程序,您可以使用以下代码信任所有 SSL 证书:
// Trust all SSL certificates
System.Net.ServicePointManager.CertificatePolicy = new TrustAllCertificatePolicy();
它会抱怨这已被弃用并提供替代方案,但这确实有效。