Using HttpURLConnection and HttpsURLConnection to connect to an https?

android httpurlconnection
Arci picture Arci · Apr 1, 2012 · Viewed 16k times · Source

What are the differences if I try to connect to an "https" using HttpURLConnection and HttpsURLConnection?

I was able to connect to "https" using both HttpURLConnection and HttpsURLConnection so I am confused. I thought I can only establish a connection to an "https" if I used HttpsURLConnection?

Below are some of my questions:

  • If I was able to open a connection to an "https" using HttpURLConnection, is my connection still in "https" or does it become "http"?
  • How about the validating of certificates? Since I didn't any SSLSocketFactory and HostnameVerifier on my HttpURLConnection while connecting to an "https", what SSLSocketFactory and HostnameVerifier am I using?
  • Does it mean that I am trusting everything regardless if the certificate is trusted or not?

Answer

Jeremy Edwards picture Jeremy Edwards · Apr 1, 2012
  1. HTTPS connection being used.
  2. Default Behaviors
  3. Not sure but read below.

I just wrote some code as a test (see all the way below). What ends up happening is the URL.openConnection() call will give you back a libcore.net.http.HttpsURLConnectionImpl class.

This is an implementation of HttpsURLConnection but HttpsURLConnection inherits from HttpURLConnection. So you're seeing polymorphism at work.

Looking further into the debugger it appears that the class is using the default factory methods.

hostnameVerifier = javax.net.ssl.DefaultHostnameVerifier

sslSocketFactory = org.apache.harmony.xnet.provider.jsse.OpenSSLSocketFactoryImpl

Based on this it looks like the default behaviors are being used. I don't know if that means if you're trusting everything but you are definitely establishing an HTTPS connection.

The documentation kinda hints at the connection will auto-trust CAs that are well known but not self-signed. (see below) I did not test this but they have example code on how to accomplish that here.

If an application wants to trust Certificate Authority (CA) certificates that are not part of the system, it should specify its own X509TrustManager via a SSLSocketFactory set on the HttpsURLConnection.

Runnable r = new Runnable() {

    public void run() {
        try {
        URL test = new URL("https://www.google.com/");
        HttpURLConnection connection = (HttpURLConnection) test.openConnection();
        InputStream is = connection.getInputStream();
        StringWriter sw = new StringWriter();
        String value = new java.util.Scanner(is).useDelimiter("\\A").next();
        Log.w("GOOGLE", value);
        } catch(Exception e) {
            Log.e("Test", e.getMessage());
        }
    }

};

Thread t = new Thread(r);
t.start();

Related questions

How to add parameters to HttpURLConnection using POST using NameValuePair

I am trying to do POST with HttpURLConnection(I need to use it this way, can't use HttpPost) and I'd like to add parameters to that connection such as post.setEntity(new UrlEncodedFormEntity(nvp)); where nvp = new ArrayList<NameValuePair&…

Read More
Getting java.net.SocketTimeoutException: Connection timed out in android

I'm relatively new to android development. I'm developing an android application where i'm sending request to web server and parsing json objects. Frequently i'm getting java.net.SocketTimeoutException: Connection timed out exception while communicating with the server. Some times it …

Read More
Sending files using POST with HttpURLConnection

Since the Android developers recommend to use the HttpURLConnection class, I was wondering if anyone can provide me with a good example on how to send a bitmap "file" (actually an in-memory stream) via POST to an Apache HTTP server. …

Read More