Wednesday, November 19, 2008

Let Java SSL Trust All Certificates without Violating Security Manager

Java SSL by default does not trust self-signed certificate. Wikibooks:Programming reveals a way to allow connection to secure HTTP server using self-signed certificate. The magic looks like:

// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public[] getAcceptedIssuers() {
return null;

public void checkClientTrusted([] certs, String authType) {
// do nothing

public void checkServerTrusted([] certs, String authType) {
// do nothing

// Install the all-trusting trust manager
SSLContext sc = null;
try {
sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new;
} catch(GeneralSecurityException gse) {
throw new IllegalStateException(gse.getMessage());

However, HttpsURLConnection.setDefaultSSLSocketFactory(...) will throw a SecurityException (a RuntimeException) if a security manager exists and its checkSetFactory method does not allow a socket factory to be specified. The thrown SecurityException looks like

Exception in thread "main" access denied (java.lang.RuntimePermission setFactory)
at java.lang.SecurityManager.checkPermission(
at java.lang.SecurityManager.checkSetFactory(
at SecurityManagerTest.main(

A workaround to avoid such a SecurityException is as below:

URL url = new URL("");
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();

The trick is to use the instance method setSSLSocketFactory instead of the static method setDefaultSSLSocketFactory. The former does not throw a SecurityException.

Note: need to use conn.getInputStream() instead of url.openStream(), otherwise the customised SocketFactory won't be used.

Of course to allow to connect the secure web site, the following permission should be added in the Java security policy file:

permission "", "connect";


andrea chiu said...

There are certain point in our life that we encounter failure but it doesn't mean you will lose hope and give up everything but it only means that every failure there's an exchange and that is new beginning. Well, thank you for sharing your article and keep on posting. Visit my site too for more information.

Silvia Jacinto said...

Life is a battle, if you don't know how to defend yourself then you'll end up being a loser.
So, better take any challenges as your stepping stone to become a better person. Have fun,
explore and make a lot of memories.

Kanye Co Jamila said...

Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Java developer learn from Java Training in Chennai. or learn thru Dot Net Training in Chennai . Nowadays Java has tons of job opportunities on various vertical industry.

or Javascript Training in Chennai. Nowadays JavaScript has tons of job opportunities on various vertical industry.