How to add SSLContext with TLSv1.2 in Android Kitkat

coding

Recently, I came across an issue where a server was not responding in my android application running in Kitkat version of Android. Yes, Kitkat is old, and why one should use it when we can always upgrade to a higher version of Android. We can argue, find pros and cons, but that’s not the point. If we have the technology, it should be more flexible and sometimes, a customer will not be able to go for a higher version of Android. When technology plays with time, certain things are not in control. So if websites had made TLSv1.2 compulsory when Android Kitkat was released, Google had no choice but to release a solution. But that wasn’t the case.

Back to the present time, my Android application is trying to contact a server that has TLSv1.2 enabled. In my Android application, I used Android provided DefaultHttpClient.

So the issue is “How do we add a SSLContext in this DefaultHttpClient“?

Solution –

Create a HTTP Client Socket Factory –

We will build a socket factory that will implement LayeredSocketFactory like below:

public class TlsSniSocketFactory implements LayeredSocketFactory {

  private final static HostnameVerifier hostnameVerifier = new StrictHostnameVerifier();

  private final boolean acceptAllCertificates;
  private final String selfSignedCertificateKey;

  public TlsSniSocketFactory() 
        {
    this.acceptAllCertificates = false;
    this.selfSignedCertificateKey = null;
  }

  public TlsSniSocketFactory(String certKey) 
        {
    this.acceptAllCertificates = false;
    this.selfSignedCertificateKey = certKey;
  }

  public TlsSniSocketFactory(boolean acceptAllCertificates) 
        {
    this.acceptAllCertificates = acceptAllCertificates;
    this.selfSignedCertificateKey = null;
  }

  // Plain TCP/IP (layer below TLS)

  @Override
  public Socket connectSocket(Socket s, String host, int port, InetAddress localAddress, int localPort,
                HttpParams params) throws IOException {
    return null;
  }

  @Override
  public Socket createSocket() throws IOException {
    return null;
  }

  @Override
  public boolean isSecure(Socket s) throws IllegalArgumentException {
    if (s instanceof SSLSocket) {
      return s.isConnected();
    }
    return false;
  }

  // TLS layer

  @Override	
  public Socket createSocket(Socket plainSocket, String host, int port, boolean autoClose) throws IOException 
        {
    if (autoClose) 
                {
      plainSocket.close();
    }

    SSLCertificateSocketFactory sslSocketFactory =
        (SSLCertificateSocketFactory) SSLCertificateSocketFactory.getDefault(0);

    // For self-signed certificates use a custom trust manager
    if (acceptAllCertificates) {
      sslSocketFactory.setTrustManagers(new TrustManager[]{new IgnoreSSLTrustManager()});
    } else if (selfSignedCertificateKey != null) {
      sslSocketFactory.setTrustManagers(new TrustManager[]{new SelfSignedTrustManager(selfSignedCertificateKey)});
    }

    // create and connect SSL socket, but don't do hostname/certificate verification yet
    SSLSocket ssl = (SSLSocket) sslSocketFactory.createSocket(InetAddress.getByName(host), port);

    // enable TLSv1.1/1.2 if available
    // ssl.setEnabledProtocols(ssl.getSupportedProtocols());
                // this can be hard coded too
                ssl.setEnabledProtocols(new String[] {"TLSv1.2"});

    // set up SNI before the handshake
    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) {
      sslSocketFactory.setHostname(ssl, host);
    } else {
      try {
        java.lang.reflect.Method setHostnameMethod = ssl.getClass().getMethod("setHostname", String.class);
        setHostnameMethod.invoke(ssl, host);
      } catch (Exception e) {
        Log.d(TlsSniSocketFactory.class.getSimpleName(), "SNI not usable: " + e);
      }
    }

    // verify hostname and certificate
    SSLSession session = ssl.getSession();
    if (!(acceptAllCertificates || selfSignedCertificateKey != null) && !hostnameVerifier.verify(host, session)) {
      throw new SSLPeerUnverifiedException("Cannot verify hostname: " + host);
    }

    return ssl;
  }

}

Register a HTTPS Scheme

We will register a scheme that will use our custom socket factory.

SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(new Scheme("https", new TlsSniSocketFactory(),443));

ClientConnectionManager ccm = new ThreadSafeClientConnManager(httpparams, schemeRegistry);
DefaultHttpClient defaultHttpClient = new DefaultHttpClient(ccm, httpparams);

Now if use defaultHttpClient to call a GET or POST request, we should be able to connect to a server that is enabled with TLSv1.2.

Conclusion

In this post, we showed how to use DefaultHttpClient in Android Kitkat with TLSv1.2. If you enjoyed this post, subscribe to my blog here.

References

  1. TLS Socket Factory
  2. Default HTTP Client

LDAP Authentication with Spring Boot LDAP

In this article, I will show how to achieve LDAP authentication using spring boot plugin for LDAP.

What you will need

  • Java 8
  • IntelliJ
  • Apache Directory Server
  • Apache Directory Studio
  • Spring Boot

Implementation

To use LDAP for authentication with Spring Boot, definitely set up a LDAP server and we will use Apache Directory Server in our case. I will not be showing “How to set up and add LDIF entries” as this is entirely different topic. But I have two users John Doe and James Hook in my LDAP repository. I will use those accounts to login.

Set up Spring Boot with LDAP dependencies

As part of implementing this, we will add following gradle dependencies:

compile('org.springframework.boot:spring-boot-starter')
compile('org.springframework.boot:spring-boot-starter-web')
compile('org.springframework.boot:spring-boot-starter-security')
compile('org.springframework.ldap:spring-ldap-core')
compile('org.springframework.security:spring-security-ldap')
compile('org.springframework:spring-tx')
compile('org.apache.directory.server:apacheds-server-jndi:1.5.5')

For our task, spring-ldap-core and spring-security-ldap are important dependencies.

Rest Controller

We will create a simple rest controller that will display our sample page. This sample page will be secured and to access it, an user will have to authenticate.

package com.betterjavacode.SpringBootLdapApplication.Controllers;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class HomeController
{
    @GetMapping("/")
    public String index()
    {
        return "Welcome to Spring Boot Ldap Application Page";
    }
}

Security Configuration

We will add our security configuration by adding a WebSecurityConfig class that extends WebSecurityConfigurerAdapter.

package com.betterjavacode.SpringBootLdapApplication;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
    @Override
    protected void configure(HttpSecurity http) throws Exception
    {
        http.httpBasic().and().authorizeRequests().anyRequest().authenticated().and().formLogin().and().csrf().disable();
    }

    @Override
    public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception
    {
        authenticationManagerBuilder
                .ldapAuthentication()
                .contextSource().url("ldap://localhost:10389/o=betterjavacode")
                .managerDn("uid=admin,ou=system").managerPassword("secret")
                .and()
                .userSearchBase("ou=people")
                .userSearchFilter("(uid={0})");
    }

}

Now if we look at this, when a user will launch the application, he will be challenged with a login form based on formLogin() . Once the user enters credentials, he will be redirected to home page.

The result for that will look like below:

Once the user enters credentials:

Conclusion

In this post, we showed how to use LDAP for authentication using Spring boot.

References

  1. Spring Boot LDAP – Spring Boot LDAP
  2. Authentication using LDAP – LDAP Authentication

 

Custom Twitter Client vs Spring Boot Twitter Plugin

To use twitter data in my saas application, I was going to write my own custom Twitter client by doing a rest call. However, I found out Spring Boot offers a Twitter plugin that can be used to fetch Twitter data. Neat.

In this post, I will show some comparison of these two approaches and why one can choose over another:

Custom Twitter Client

So custom twitter client will be a standalone client which will build an HTTP entity with client secrets that are needed to authenticate with Twitter API. In this client, we will use restOperations to call API endpoint passing HTTP entity and the REST call will respond with Twitter Data Model.

This will look like below:

public TwitterDataModel getTwitterData(long accountId)
{
    String url = buildRestUrl(accountId);
    ParameterizedTypeReference<HashMap<Long, TwitterDataModel>> responseType = new ParameterizedTypeReference<HashMap<Long, TwitterDataModel>>(){};
    HttpEntity entity = buildHttpEntity(CLIENT_ID, CLIENT_SECRET);
    Map<Long, TwitterDataModel> twitterDataModelMap = restOperations.exchange(url, HttpMethod.GET, entity, responseType).getBody();

    Long keyForData = new Long(accountId);
    TwitterDataModel twitterDataModel = twitterDataModelMap.get(keyForData);

    return twitterDataModel;
}

public String buildRestUrl(long accountId)
{
    return TWITTER_REST_ENDPOINT + accountId + TWITTER_REST_API;
}

There is nothing much wrong with this approach, except the fact that we will have to write an extra TwitterDataModel business object. Also, this business model should be created before we do the actual REST call.

Spring Boot Twitter Plugin

To use this plugin, first, we need to add the plugin in Gradle or maven like below:

compile('org.springframework.social:spring-social-twitter')

Once we have this plugin, we can add an object of type Twitter in our code to call REST APIs.

This will look like below:

private final Twitter twitter;

public TwitterDataModel getTwitterData(long accountId)
    {
        String url = buildRestUrl(accountId);
        ParameterizedTypeReference<HashMap<Long, TwitterDataModel>> responseType = new ParameterizedTypeReference<HashMap<Long, TwitterDataModel>>(){};
        HttpEntity entity = buildHttpEntity(CLIENT_ID,CLIENT_SECRET);

        Map<Long, TwitterDataModel> twitterDataModelMap = twitter.restOperations().exchange(url, HttpMethod.GET, entity, responseType).getBody();

        Long keyForData = new Long(accountId);
        TwitterDataModel twitterDataModel = twitterDataModelMap.get(keyForData);

        return twitterDataModel;
    }

    public String buildRestUrl(long accountId)
    {
        return TWITTER_REST_ENDPOINT + accountId + TWITTER_REST_API;
    }

The major advantage of this plugin is that we can get the data in Twitter Data Model that twitter offers. An then we can go on to use to handle our data.

Conclusion

In this post, I showed how we can use a Spring Boot Twitter social plugin to gather Twitter data.

SaaS Application Design Discussion – Part IV

In the previous post, I discussed database design for saas application. To continue design discussion for our social pie saas application, in this post, we will discuss a few more ideas about how a user and user’s company will sign up for application. This will be a user story. We are building a SAAS application. To make it more viable, this application will use the freemium and pay model.

  1. In the freemium model – Any company can join and review what reports it will be able to see and what kind of marketing strategies it can design using those reports.
    1. 5 Reports
    2. Free Marketing Strategies
    3. Up to 3 users
    4. Limited usage of twitter and Instagram APIs
  2. In pay model – If a company opts to join a pay subscription, it will be able to get more advance reports, will be able to see reports in a different format, and can also get consultation about strategies for marketing.
    1. N number of reports – Your data, your freedom
    2. Marketing Consultation
    3. KPI tracker and notification
    4. Up to N users (won’t be implemented in first version)

User Flow

Once the user lands on the home page, he can opt for either model and sign up. An automated email will be sent to the user for a demo or sign up. Upon sign up, where the user will be entering details about himself and his company. This user will be an administrator and he can add other users with custom roles. The same user can go to reports tab and click on sync data. This will get the latest data from social media and update it in the database. Every new request will compare newly fetched data with current data in the database. If the new request has brought changes, it will be updated in the database. When generating reports, this data from the database will be cached.

We will not be fetching any on-the-fly data from Twitter and Instagram. Administrator users will have an option to send reports to other people from the company. There will be an email/download option.

There are some nitty-gritty details that I have not covered in this post. But with this post, we will be starting to develop a Saas application using java and spring-boot.

 

Database and design discussion – Part III

To continue the development of a spring-based web application, this post will discuss using of Twitter API in saas application. If you want to understand, what we are building, you can read the first two posts of this series where we discussed the design of the application we are building:

  1. Database design and discussion – Part I
  2. Database design and discussion – Part II

In the previous post, we discussed the Instagram API that we will be using. With recent events around Facebook, I have decided not to use Facebook API for application development. We will still use Instagram and Twitter API.

Using Twitter API in SAAS Application

Firstly, Twitter offers different APIs for developers to build applications. We will be using Engagement API. You can find more details Twitter API.

Our goal is to use this Twitter API to collect engagement metrics in the Saas application.

Secondly, Engagement API offers us details about account engagement metrics which can help us to design marketing strategy. Sample response of this API looks like the below:

{
  "Tweet metrics": {
    "902301386880286721": {
      "engagements": "433",
      "favorites": "21",
      "impressions": "72218"
    },
    "902731270274166784": {
      "engagements": "61",
      "favorites": "27",
      "impressions": "7827"
    },
    "907022936564838401": {
      "engagements": "187",
      "favorites": "37",
      "impressions": "1916"
    }
  }
}

Therefore this API provides metrics for tweets, which tweet generated more traffic. The key decision that can be devised based on these metrics is what kind of tweet, moment or incident generates the traffic.

What fields we will use in our database?

In conclusion, we will be using the following fields in our database table TwitterData

  • tweet id
  • engagements
  • impressions
  • tweet

Twitter is a viable medium. This data will provide small businesses with a key metric about what tweets have worked with their followers and how they can leverage that pattern. Once the small businesses sort out these patterns, they will be able to create a number of tweets to engage with customers. Eventually, the goal here is to help small businesses to attract customers, and repeat customers.

References

  1. Twitter API documentation – Twitter API