B4J Question [SOLVED] possible webview cache issue?

[aminoacid]

This is something that has stumped me.

I cannot figure out why the following URL:

https://strikenet-tx.com/apache.html

works in Chrome and Edge but will not load in webview. This is just a simple apache test page. Nothing complex at all.

I wrote a simple B4J App to test it out. Just one webview control and nothing else. See below - this is the whole program:

#Region Project Attributes
    #MainFormWidth: 600
    #MainFormHeight: 600
#End Region

Sub Process_Globals
    Private fx As JFX
    Private MainForm As Form
    Private xui As XUI
    Private WebView1 As WebView
End Sub

Sub AppStart (Form1 As Form, Args() As String)
    MainForm = Form1
    MainForm.RootPane.LoadLayout("Layout1")
    MainForm.Show
    WebView1.LoadUrl("https://strikenet-tx.com/apache.html")
    'WebView1.LoadUrl("https://www.google.com")
End Sub

I tried various web sites like google, etc. It works fine. But I just get a blank screen with the URL "https://strikenet-tx.com/apache.html". And like I said. This URL/page loads fine in all other browsers.

Any suggestions would be appreciated. I have spent a whole day trying to figure this out and I give up!

Thanks!

 

[Erel]

I see it too. It is not a caching issue. I'm not sure what causes it. Maybe the server runs a protection layer that rejects the request from WebView (I tried to change the user agent but it didn't help).

 

[sedd]

Some sites require to save the "crt" file in the "cacerts" file of Java. (it worked)

 

[Sandman]

It's related to the cert the site uses. A quick test with the lovely tool curl gives this response:

sandman@woopwoop:~ curl https://strikenet-tx.com/apache.html
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
sandman@woopwoop:~

I'm no expert with certs etc, but this is how I picture the situation: Each browser has their own list of acceptable certs. It's in the interests of the big browsers to keep their lists updated so everything works for the users. But then we have stuff like curl and Java, which have their own lists. For whatever reason they don't seem to be updated as quickly as the browsers.

And the site in question have a very new certificate, probably generated in February this year.

Searching for the first line in the curl output I found this SO thread:

curl: (60) SSL certificate problem: unable to get local issuer certificate

root@sclrdev:/home/sclr/certs/FreshCerts# curl --ftp-ssl --verbose ftp://{abc}/ -u trup:trup --cacert /etc/ssl/certs/ca-certificates.crt * About to connect() to {abc} port 21 (#0) * Trying {abc}....

stackoverflow.com

Looking at the top answer, the solution is to update the list of certs in curl. And as far as I can tell that's what @sedd explained in #4 also.

I think this is fairly correct, but I don't know what the best solution is though.

 

[aminoacid]

The last time I worked on the code it was working fine so that's why I thought it was a caching issue and decided to see if just a simple web page would load from the server. The server, BTW is a B4J websockets server (jserver 3.0). Also, everything works fine with B4A and B4I webview. Just B4J that chokes.

 

[aminoacid]

Some sites require to save the "crt" file in the "cacerts" file of Java. (it worked)

You mention - it worked - Did you get it to work with B4J webview? How do you update the cert list in webview?

 

[aeric]

How do you output the html page with JServer?

 

[aminoacid]

Ok.... I got it to work. Thank you @sedd and @Sandman
Once I added the certificate to the local JRE cacerts file, I could view the page.
The procedure to do this is outlined in the link below.

Support

knowledge.informatica.com

[edit] This resolves the problem but it got me thinking about what if you need to distribute the application? You can't expect the end-user to have to add the certificate manually. The certificate is a purchased, perfectly valid certificate (issued by DigiCert) and works in other browsers so it seems strange that this behavior is specific to browsers like curl and webview.

 

[aminoacid]

How do you output the html page with JServer?

I'm running a B4J websockets appliction that uses jServer. The home sub-directory is "www" with index.html as the default page. I just placed the apache test page in this folder.

 

[aeric]

Another solution is to use HU2_ACCEPTALL in Conditional Symbols and use OkHttpUtils2 to download the page then display using WebView1.LoadHtml(job.GetString)
But I am not sure it is already fixed at your side.

 

[aminoacid]

Another solution is to use HU2_ACCEPTALL in Conditional Symbols and use OkHttpUtils2 to download the page then display using WebView1.LoadHtml(job.GetString)
But I am not sure it is already fixed at your side.

Thanks! Good information to keep in mind for future reference. However in my case I have to use webview since my application does more than just display a page. I used the apache page for testing only.

 

[aeric]

Thanks! Good information to keep in mind for future reference. However in my case I have to use webview since my application does more than just display a page. I used the apache page for testing only.

I may just use a plain html file with h1 tag.

<h1>It works!</h1>

 

[Sandman]

This resolves the problem but it got me thinking about what if you need to distribute the application? You can't expect the end-user to have to add the certificate manually. The certificate is a purchased, perfectly valid certificate (issued by DigiCert) and works in other browsers so it seems strange that this behavior is specific to browsers like curl and webview.

Yeah, that's why I couldn't find a solution to recommend. I should have been more clear about it, sorry.

On second thought, the only thing I can think of is to get a different certificate that is (more) guaranteed to work, assuming that the primary use of the website is via a webview in your app. Sucks, but works.

I assume it's possible to configure webview to not care of the validity of the cert (it is for curl), which would solve the direct issue and display the site in the webview. But it would also open up a giant security hole, the cert is there for a reason - don't do this.

 

[aminoacid]

Yeah, that's why I couldn't find a solution to recommend. I should have been more clear about it, sorry.

On second thought, the only thing I can think of is to get a different certificate that is (more) guaranteed to work, assuming that the primary use of the website is via a webview in your app. Sucks, but works.

I assume it's possible to configure webview to not care of the validity of the cert (it is for curl), which would solve the direct issue and display the site in the webview. But it would also open up a giant security hole, the cert is there for a reason - don't do this.

Yes... that's exactly what I was looking for..... Some way to configure webview to ignore the validity of the certificate. In my application, security is not an issue. However I could not find any way to do this.

 

[Sandman]

I could not find any way to do this

Post a new question asking how to do this, and add a link to this thread, for background. I'm willing to bet that somebody with Java knowledge can figure out the correct spell for you.

 

[teddybear]

[edit] This resolves the problem but it got me thinking about what if you need to distribute the application? You can't expect the end-user to have to add the certificate manually. The certificate is a purchased, perfectly valid certificate (issued by DigiCert) and works in other browsers so it seems strange that this behavior is specific to browsers like curl and webview.

I wrapped a library for trusting all websites, it is like HU2_ACCEPTALL , you don't have to add the certificate manually.

    Dim AT As AllTrust
    AT.Initialize
    WebView1.LoadUrl("https://strikenet-tx.com/apache.html")

 

[aeric]

My understanding is, you install your certificate on the server.
I have a small VPS hosting from hostinger. My port 80 is used by Apache server and can run PHP.
I created Let's Encrypt SSL and the certificate is shared with all the ports, including (and intended for) all my B4J Jetty Server apps running on other port numbers.
Nothing is needed to be done for the client apps.

[Server] Using Let's Encrypt on Ubuntu VPS

#1 How to: Install Let's Encrypt on Ubuntu Linux VPS to Create SSL Certificates Downloading and Installing Let's Encrypt 1. Update the server's packages apt-get update & sudo apt-get upgrade 2. Install the GIT package apt-get install git 3. Download a clone of Let's Encrypt from the GitHub...

www.b4x.com

 

[drgottjr]

configuring webview to ignore ssl certs is trivial.
you can also arrange things so that a list of
white-listed sites with problematic certificates
could still be loaded by webview. this list could
be compiled by the developer or the user and
be updated as needed. in the case of a
distributed app, it has to be understood by the
user that any sites added to the list by him are
his responsibility. as has been pointed out,
the major browsers have little choice but to
update such a list as certifiying authorities come
and go. there is no reason you could not do
the same for your app.

 

[aminoacid]

I wrapped a library for trusting all websites, it is like HU2_ACCEPTALL , you don't have to add the certificate manually.

    Dim AT As AllTrust
    AT.Initialize
    WebView1.LoadUrl("https://strikenet-tx.com/apache.html")

Thanks! I tried it, but get this error when compiling:

java.lang.UnsupportedClassVersionError: b4j/teddybear/alltrust has been compiled by a more recent version of the Java Runtime (class file version 53.0), this version of the Java Runtime only recognizes class file versions up to 52.0

I am using the latest version of B4J, Java8 JDK 8u371

Do I need the library source?

 

[teddybear]

Thanks! I tried it, but get this error when compiling:

java.lang.UnsupportedClassVersionError: b4j/teddybear/alltrust has been compiled by a more recent version of the Java Runtime (class file version 53.0), this version of the Java Runtime only recognizes class file versions up to 52.0

I am using the latest version of B4J, Java8 JDK 8u371

Do I need the library source?

The jar has been updated for jdk8