I'm making an application that requires it to be authenticated on startup with a "secret key" as defined in a configuration file. I can't have the app call to a database so I'm thinking I need to do a HTTP request, however I am not sure how I should go about doing this and how it can't be exploited.
I just need somewhere to start, thanks!
You can use SSL. Then to manage trusted certs, you can implement your own javax.net.ssl.X509TrustManager
. You can use the javax.net.ssl.X509TrustManager
to manage your .keystore file via standard Java mechanisms. The keystore will contain private keys.
From JavaDoc:
Instance of this interface manage which X509 certificates may be used to authenticate the >remote side of a secure socket. Decisions may be based on trusted certificate authorities, >certificate revocation lists, online status checking or other means.
Also note that:
TrustManagers are responsible for managing the trust material that is used when making trust
decisions, and for deciding whether credentials presented by a peer should be accepted.
If you extend the X509TrustManager
, you can read in certificates your private .keystore file as well as certificates trusted by Java. Those live in JAVA_HOME\\lib\\security\\cacerts
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.