Chapter 6 Protocol Support

HTTP, FTP and Gopher

Java Plug-in supports HTTP, FTP, and GOPHER protocols, including built-in proxy configuration support.

HTTPS

Introduction

Prior to version 1.4 of the Java 2 Platform, Standard Edition, Java Plug-in supported HTTPS through browser-dependent native APIs. Java^TM Secure Socket Extension (JSEE) is a new Java extension in 1.4, providing a Java implementation of SSL and HTTPS for the Java platform. Java Plug-in in 1.4 leverages JSSE to provide HTTPS support, instead of relying on the browser.

This provides the following advantages over using browser-dependent native APIs for support:

• No native code is used, eliminating separate HTTPS support for each browser on each platform and making code more maintainable and portable.

• Implementation of java.net.HttpsURLConnection is provided in JSSE, allowing developers to take advantages of all features in HTTPS, including tunneling.

• Support is multi-threaded. Because the implementation is in Java, there is no need to have a mutex to lock up connections and Java performance is enhanced for simultaneous HTTPS connections.

Java Plug-in supports HTTPS through JSSE for Win32, Linux and the Solaris operating environment.

Proxy and Cookie Support

A different proxy configuration may be used for every HTTPS connection. Java Plug-in provides full proxy configuration support in HTTPS. Proxy configuration may be set through user preference in the browser, as well as the Java Plug-in Control Panel. Direct, manual and automatic proxy configuration are supported.

Cookies may be sent/received for every HTTPS connection. Java Plug-in provides full cookie support, automatically retrieving or updating cookies through the browser cookie store.

Error handling support

When accessing an HTTPS server, errors may occur. Java Plug-in has hooked into JSSE to provide the following types of error handling:

• Hostname mismatch: If the HTTPS server host name does not match the name on the server certificate, a warning dialog will appear.

• Untrusted server certificate: If the server certificate can not be verified during the SSL handshaking, a warning dialog will appear.

• Untrusted client certificate: In case client authentication is required by the server and the client certificate cannot be verified, a warning dialog will be appear.

• Server authentication: If the client accesses a protected directory on the HTTPS server, the users will be prompted for a username and password. Note: Only basic and digest authentication are currently supported.

Potential issues with HTTPS through JSSE

Although support of HTTPS through JSSE eliminates many browser-specific problems, there are several issues that developers should be aware of:

• Untrusted server certificate: When SSL handshaking takes place in establishing an HTTPS connection, the server certificate is verified against the root CA store in J2SE. However, J2SE supports fewer root CA certificates than does the browser. As a result, you may have problems with untrusted server certificates.

• Client authentication: An HTTPS server may require client authentication, in which case a local client certificate is sent to the server for authentication. In JSSE, client certificates are stored in a separate file and are independent of the browser. In order for client authentication to work, developers must import client certificates into JSSE through the keytool. For more information, see the JSSE documentation online at http://java.sun.com/j2se/1.4/docs/guide/security/jsse/JSSERefGuide.html.

• Level of error handling: Java Plug-in currently handles the types of error listed in the previous section. However, if there are additional types of error that Java Plug-in doesn't recognize, the Java applet code may break.

• Startup delay: When HTTPS is used, a secure random generator will be created. This process may take several seconds to a minute, depending on the speed of the client machine. In some cases, Java Plug-in may appear to be hung during the creation of the secure random generator. This issue has been addressed by delaying the loading of HTTPS code in Java Plug-in as well as leveraging the native OS secure-seed generator if available on the platform; thus, Java Plug-in startup time should not be affected if HTTPS is not used. However, some users may still see the startup delay, depending on the exact loading sequence of the startup code in Java Plug-in.

Socks

Java Plug-in currently supports SOCKS version 4.

For HTTP/HTTPS, a SOCKS proxy server may be used with a web proxy server to add caching. The behavior, however, may differ from that observed when running a similar configuration in a browser without Java Plug-in.