Making Secure HTTP HTTPS Connections

Fri, 06 Jan 2012 12:46:39 | BlackBerry Development

To make a connection to a secure HTTP server, replace http:// with https:// in the Connector.open method. Fortunately, the web application also supports HTTPS connections, so simply substitute https:// into the URL to make https://beginningblackberry.appspot.com, and then click Get. The result will look almost the same as the non-secure HTTP connection (see Figure 7-14).

Figure 7-14. Retrieving the web application over HTTPS

Performing the POST works in a similar way. We haven't had to change the connection-handling code because Connector.open returns an HttpsConnection instead of HttpConnection, and HttpsConnection derives from HttpConnection. We can, however, detect this and display some information about the connection (in this case, the issuer of the TLS certificate). Add the following lines to the run method of HttpRequestDispatcher right after getting the response code:

if (connection instanceof HttpsConnection) {

HttpsConnection secureConnection = (HttpsConnection)connection; final String issuer = secureConnection.getSecurityInfo().getServerCertificate().getIssuer();

UiApplication.getUi^pp!icotion().invokeLater(new Runnable() { public void run() {

Dialog.inform("Secure Connection, certificate issued by: " + issuer);

Now, if we enter the https:// URL, we'll get a dialog with some info as shown in Figure 7-15.

Figure 7-15. Information about the securiy of the connection

NOTE: Something to be aware of with HTTPS connections—and this applies to secure socket (TLS and SSL) connections, too—is that things are simple only when the certificate provided by the server is known to the BlackBerry, or, in the case of a BES/MDS connection, known to the BES. In the case of an unknown certificate such as a self-signed certificate, a prompt is displayed to the user asking them to verify the connection. If the connection is a BES/MDS connection, this prompt is displayed only if certificate verification is done on the device by adding the EndToEndRequired=true parameter to the end of the URL to force certificate verification to happen on the device. Otherwise, the connection just fails. If you stick with certificates from known certification authorities, you shouldn't have to worry about any of this.

0 0
« 
 »

Related posts

Post a comment

  • Receive news updates via email from this site