Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8246215

WebView does not care "HttpsURLConnection.setDefaultSSLSocketFactory()"

XMLWordPrintable

    • web
    • x86_64
    • windows_10

      ADDITIONAL SYSTEM INFORMATION :
      Windows 10
      OpenJDK 13.0.1 or OpenJDK 14.0.1

      A DESCRIPTION OF THE PROBLEM :
      My codes use cusomtized TrustManager for all HttpsURLConnection. This works well with javafx 13.0.1, but fails with javafx 14.0.1.
      By checking logs and codes, it looks WebView acts different behaviours in the 2 versions:
      1) Method of "X509KeyManagerImpl" in package "sun.security.ssl" is always called by javafx 14.0.1 when it loads https page in WebView whatever SSLContext is set for HttpsURLConnection.
      2) User-defined method is called by javafx 13.0.1 when it loads https page in WebView if SSLContext is set for HttpsURLConnection.
      3) This issue is not related to JDK. With either jdk 14.0.1 or 13.0.1, above 2 behaviours always happen.
      4) It looks only related to module "javafx-web": When other javafx modules are in 14.0.1 and only "javafx-web" is in 13.0.1, this issue does not happen. So "javafx-web 14.0.1" may be the reason.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      1) Write customzied TrustManager and assigned to HttpsURLConnection. Example:
      ------------------------------------------------------------------------
          public static class TrustAllManager extends X509ExtendedTrustManager
              implements X509TrustManager {

              @Override
              public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                  return null;
              }

              @Override
              public void checkClientTrusted(X509Certificate[] certs, String authType) {
              }

              @Override
              public void checkServerTrusted(X509Certificate[] certs, String authType) {
                    for (X509Certificate cert : certs) {
                        logger.debug(cert);
                    }
              }

              @Override
              public void checkClientTrusted(X509Certificate[] chain, String authType,
                      Socket socket) throws CertificateException {
              }

              @Override
              public void checkServerTrusted(X509Certificate[] chain, String authType,
                      Socket socket) throws CertificateException {
                    for (X509Certificate cert : chain) {
                        logger.debug(cert);
                    }
              }

              @Override
              public void checkClientTrusted(X509Certificate[] chain, String authType,
                      SSLEngine engine) throws CertificateException {
              }

              @Override
              public void checkServerTrusted(X509Certificate[] chain, String authType,
                      SSLEngine engine) throws CertificateException {
                    for (X509Certificate cert : chain) {
                        logger.debug(cert);
                    }
              }
          }
      ------------------------------------------------------------------------

      2) Assigned customzied TrustManager to HttpsURLConnection and load https page in WebView. Example:
      ------------------------------------------------------------------------
              try {
                  SSLContext sc = SSLContext.getInstance("TLSv1.2");
                  sc.init(null, trustAllManager(), new SecureRandom());

                  HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
                  HttpsURLConnection.setDefaultHostnameVerifier(trustAllVerifier());

                  webEngine.loadContent("http://webapi.amap.com/");
              } catch (Exception e) {
                  logger.debug(e.toString());
              }
      ------------------------------------------------------------------------

      3) Display the WebView with javafx 13.0.1

      4) Display the WebView with javafx 14.0.1

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      WebView loads https pages with connection using the customzied TrustManager
      ACTUAL -
      WebView of javafx 14.0.1 bypasses the customzied TrustManager and always calls method of "X509KeyManagerImpl" in package "sun.security.ssl"

      ---------- BEGIN SOURCE ----------
      In "Steps to Reproduce"
      ---------- END SOURCE ----------

      CUSTOMER SUBMITTED WORKAROUND :
      Use module "javafx-web" in 13.0.1 instead of 14.0.1. Other modules and JDK can be 14.0.1.

      FREQUENCY : always


            Unassigned Unassigned
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: