From 401b9efd7709b54cb05d31b4fac7679f84e4a389 Mon Sep 17 00:00:00 2001 From: ldetmer Date: Tue, 10 Feb 2026 16:55:43 -0500 Subject: [PATCH 1/7] chore: update apahce http transport clients to use default jdk certs --- docs/oauth-2.0.md | 14 ++++++------- .../apache/v5/GoogleApache5HttpTransport.java | 20 ++++++------------- .../v5/ITGoogleApache5HttpTransportTest.java | 7 ++++--- .../apache/v2/GoogleApacheHttpTransport.java | 19 ++++++------------ 4 files changed, 23 insertions(+), 37 deletions(-) diff --git a/docs/oauth-2.0.md b/docs/oauth-2.0.md index 56a72b165..247750b32 100644 --- a/docs/oauth-2.0.md +++ b/docs/oauth-2.0.md @@ -47,7 +47,7 @@ For instructions on setting up your credentials properly, see the already have an access token, you can make a request in the following way: ```java -import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport; +import com.google.api.client.http.javanet.NetHttpTransport; import com.google.api.client.json.gson.GsonFactory; import com.google.api.services.books.Books; import com.google.auth.http.HttpCredentialsAdapter; @@ -59,7 +59,7 @@ GoogleCredentials credentials = Books books = new Books.Builder( - GoogleNetHttpTransport.newTrustedTransport(), + Gnew NetHttpTransport(), GsonFactory.getDefaultInstance(), new HttpCredentialsAdapter(credentials)) .setApplicationName("BooksExample/1.0") @@ -79,7 +79,7 @@ App Engine takes care of all of the details. You only specify the OAuth 2.0 scope you need. ```java -import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport; +import com.google.api.client.http.javanet.NetHttpTransport; import com.google.api.client.json.gson.GsonFactory; import com.google.api.services.books.Books; import com.google.appengine.api.appidentity.AppIdentityService; @@ -99,7 +99,7 @@ GoogleCredentials credentials = Books books = new Books.Builder( - GoogleNetHttpTransport.newTrustedTransport(), + new NetHttpTransport(), GsonFactory.getDefaultInstance(), new HttpCredentialsAdapter(credentials)) .setApplicationName("BooksExample/1.0") @@ -373,7 +373,7 @@ a private key downloaded from the [Google API Console][console]. For example, you can make a request in the following way: ```java -HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport(); +HttpTransport httpTransport = new NetHttpTransport(); JsonFactory jsonFactory = GsonFactory.getDefaultInstance(); //Build service account credential @@ -405,12 +405,12 @@ additionally call [`GoogleCredential.Builder.setServiceAccountUser(String)`][set This is the command-line authorization code flow described in [Using OAuth 2.0 for Installed Applications][oauth2-installed-app]. -Example snippet from [plus-cmdline-sample][plus-sample]: +Example usage: ```java public static void main(String[] args) { try { - httpTransport = GoogleNetHttpTransport.newTrustedTransport(); + httpTransport = new NetHttpTransport(); dataStoreFactory = new FileDataStoreFactory(DATA_STORE_DIR); // authorization Credential credential = authorize(); diff --git a/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransport.java b/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransport.java index 00a7673b3..b4b8e4203 100644 --- a/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransport.java +++ b/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransport.java @@ -14,10 +14,8 @@ package com.google.api.client.googleapis.apache.v5; -import com.google.api.client.googleapis.GoogleUtils; import com.google.api.client.googleapis.mtls.MtlsProvider; import com.google.api.client.googleapis.mtls.MtlsUtils; -import com.google.api.client.googleapis.util.Utils; import com.google.api.client.http.apache.v5.Apache5HttpTransport; import com.google.api.client.util.SslUtils; import com.google.common.annotations.Beta; @@ -48,11 +46,8 @@ public final class GoogleApache5HttpTransport { /** - * Returns a new instance of {@link Apache5HttpTransport} that uses {@link - * GoogleUtils#getCertificateTrustStore()} for the trusted certificates. If - * `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to "true", and the default - * client certificate key store from {@link Utils#loadDefaultMtlsKeyStore()} is not null, then the - * transport uses the default client certificate and is mutual TLS. + * Returns a new instance of {@link Apache5HttpTransport} that uses default jdk certificates for + * the trusted certificates. */ public static Apache5HttpTransport newTrustedTransport() throws GeneralSecurityException, IOException { @@ -61,9 +56,8 @@ public static Apache5HttpTransport newTrustedTransport() /** * {@link Beta}
- * Returns a new instance of {@link Apache5HttpTransport} that uses {@link - * GoogleUtils#getCertificateTrustStore()} for the trusted certificates. mtlsProvider can be used - * to configure mutual TLS for the transport. + * Returns a new instance of {@link Apache5HttpTransport} that uses default jdk certificates + * for the trusted certificates. mtlsProvider can be used to configure mutual TLS for the transport. * * @param mtlsProvider MtlsProvider to configure mutual TLS for the transport */ @@ -109,22 +103,20 @@ public SocketFactoryRegistryHandler(MtlsProvider mtlsProvider) mtlsKeyStorePassword = mtlsProvider.getKeyStorePassword(); } - // Use the included trust store - KeyStore trustStore = GoogleUtils.getCertificateTrustStore(); SSLContext sslContext = SslUtils.getTlsSslContext(); if (mtlsKeyStore != null && mtlsKeyStorePassword != null) { this.isMtls = true; SslUtils.initSslContext( sslContext, - trustStore, + null, SslUtils.getPkixTrustManagerFactory(), mtlsKeyStore, mtlsKeyStorePassword, SslUtils.getDefaultKeyManagerFactory()); } else { this.isMtls = false; - SslUtils.initSslContext(sslContext, trustStore, SslUtils.getPkixTrustManagerFactory()); + SslUtils.initSslContext(sslContext, null, SslUtils.getPkixTrustManagerFactory()); } LayeredConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext); diff --git a/google-api-client-apache-v5/src/test/java/com/google/api/client/googleapis/apache/v5/ITGoogleApache5HttpTransportTest.java b/google-api-client-apache-v5/src/test/java/com/google/api/client/googleapis/apache/v5/ITGoogleApache5HttpTransportTest.java index f8e9cbed1..db03ab720 100644 --- a/google-api-client-apache-v5/src/test/java/com/google/api/client/googleapis/apache/v5/ITGoogleApache5HttpTransportTest.java +++ b/google-api-client-apache-v5/src/test/java/com/google/api/client/googleapis/apache/v5/ITGoogleApache5HttpTransportTest.java @@ -30,10 +30,11 @@ public class ITGoogleApache5HttpTransportTest { @Test - public void testHttpRequestFailsWhenMakingRequestToSiteWithoutGoogleCerts() + public void testHttpRequestFailsWhenMakingRequestToSiteWithoutDefaultJdkCerts() throws GeneralSecurityException, IOException { Apache5HttpTransport apache5HttpTransport = GoogleApache5HttpTransport.newTrustedTransport(); - HttpGet httpGet = new HttpGet("https://maven.com/"); + // Use a self-signed certificate site that won't be trusted by default trust store + HttpGet httpGet = new HttpGet("https://self-signed.badssl.com/"); Exception exception = null; try { apache5HttpTransport @@ -43,7 +44,7 @@ public void testHttpRequestFailsWhenMakingRequestToSiteWithoutGoogleCerts() new HttpClientResponseHandler() { @Override public Void handleResponse(ClassicHttpResponse response) { - fail("Should not have been able to complete SSL request on non google site."); + fail("Should not have been able to complete SSL request with untrusted cert."); return null; } }); diff --git a/google-api-client/src/main/java/com/google/api/client/googleapis/apache/v2/GoogleApacheHttpTransport.java b/google-api-client/src/main/java/com/google/api/client/googleapis/apache/v2/GoogleApacheHttpTransport.java index 93347cd3e..b1a798506 100644 --- a/google-api-client/src/main/java/com/google/api/client/googleapis/apache/v2/GoogleApacheHttpTransport.java +++ b/google-api-client/src/main/java/com/google/api/client/googleapis/apache/v2/GoogleApacheHttpTransport.java @@ -14,10 +14,8 @@ package com.google.api.client.googleapis.apache.v2; -import com.google.api.client.googleapis.GoogleUtils; import com.google.api.client.googleapis.mtls.MtlsProvider; import com.google.api.client.googleapis.mtls.MtlsUtils; -import com.google.api.client.googleapis.util.Utils; import com.google.api.client.http.apache.v2.ApacheHttpTransport; import com.google.api.client.util.Beta; import com.google.api.client.util.SslUtils; @@ -47,11 +45,8 @@ public final class GoogleApacheHttpTransport { /** - * Returns a new instance of {@link ApacheHttpTransport} that uses {@link - * GoogleUtils#getCertificateTrustStore()} for the trusted certificates. If - * `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to "true", and the default - * client certificate key store from {@link Utils#loadDefaultMtlsKeyStore()} is not null, then the - * transport uses the default client certificate and is mutual TLS. + * Returns a new instance of {@link ApacheHttpTransport} that uses default jdk certs for the + * trusted certificates. */ public static ApacheHttpTransport newTrustedTransport() throws GeneralSecurityException, IOException { @@ -60,8 +55,8 @@ public static ApacheHttpTransport newTrustedTransport() /** * {@link Beta}
- * Returns a new instance of {@link ApacheHttpTransport} that uses {@link - * GoogleUtils#getCertificateTrustStore()} for the trusted certificates. mtlsProvider can be used + * Returns a new instance of {@link ApacheHttpTransport} that default jdk certs for the + * trusted certificates. mtlsProvider can be used * to configure mutual TLS for the transport. * * @param mtlsProvider MtlsProvider to configure mutual TLS for the transport @@ -105,22 +100,20 @@ public SocketFactoryRegistryHandler(MtlsProvider mtlsProvider) mtlsKeyStorePassword = mtlsProvider.getKeyStorePassword(); } - // Use the included trust store - KeyStore trustStore = GoogleUtils.getCertificateTrustStore(); SSLContext sslContext = SslUtils.getTlsSslContext(); if (mtlsKeyStore != null && mtlsKeyStorePassword != null) { this.isMtls = true; SslUtils.initSslContext( sslContext, - trustStore, + null, SslUtils.getPkixTrustManagerFactory(), mtlsKeyStore, mtlsKeyStorePassword, SslUtils.getDefaultKeyManagerFactory()); } else { this.isMtls = false; - SslUtils.initSslContext(sslContext, trustStore, SslUtils.getPkixTrustManagerFactory()); + SslUtils.initSslContext(sslContext, null, SslUtils.getPkixTrustManagerFactory()); } LayeredConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext); From fb25a201e50d99bc0c34538c062b224669512ec5 Mon Sep 17 00:00:00 2001 From: ldetmer Date: Tue, 10 Feb 2026 16:59:50 -0500 Subject: [PATCH 2/7] fix typo --- docs/oauth-2.0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/oauth-2.0.md b/docs/oauth-2.0.md index 247750b32..029b12bef 100644 --- a/docs/oauth-2.0.md +++ b/docs/oauth-2.0.md @@ -59,7 +59,7 @@ GoogleCredentials credentials = Books books = new Books.Builder( - Gnew NetHttpTransport(), + new NetHttpTransport(), GsonFactory.getDefaultInstance(), new HttpCredentialsAdapter(credentials)) .setApplicationName("BooksExample/1.0") From 92255937cf10f4a1a91deb83d2d2d46eaf653afd Mon Sep 17 00:00:00 2001 From: ldetmer Date: Wed, 11 Feb 2026 11:51:46 -0500 Subject: [PATCH 3/7] fix formatting --- .../googleapis/apache/v5/GoogleApache5HttpTransport.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransport.java b/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransport.java index b4b8e4203..bf05388df 100644 --- a/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransport.java +++ b/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransport.java @@ -57,7 +57,8 @@ public static Apache5HttpTransport newTrustedTransport() /** * {@link Beta}
* Returns a new instance of {@link Apache5HttpTransport} that uses default jdk certificates - * for the trusted certificates. mtlsProvider can be used to configure mutual TLS for the transport. + * for the trusted certificates. mtlsProvider can be used to configure mutual TLS for the + * transport. * * @param mtlsProvider MtlsProvider to configure mutual TLS for the transport */ From 7ac1287790c3f4e67ca27c91945026baa5d6a6de Mon Sep 17 00:00:00 2001 From: ldetmer Date: Wed, 11 Feb 2026 12:01:47 -0500 Subject: [PATCH 4/7] added back missing java doc --- .../googleapis/apache/v5/GoogleApache5HttpTransport.java | 4 +++- .../googleapis/apache/v2/GoogleApacheHttpTransport.java | 9 +++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransport.java b/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransport.java index bf05388df..4629ae962 100644 --- a/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransport.java +++ b/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransport.java @@ -47,7 +47,9 @@ public final class GoogleApache5HttpTransport { /** * Returns a new instance of {@link Apache5HttpTransport} that uses default jdk certificates for - * the trusted certificates. + * the trusted certificates. If `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set + * to "true", and the default client certificate key store from {@link Utils#loadDefaultMtlsKeyStore()} + * is not null, then the transport uses the default client certificate and is mutual TLS. */ public static Apache5HttpTransport newTrustedTransport() throws GeneralSecurityException, IOException { diff --git a/google-api-client/src/main/java/com/google/api/client/googleapis/apache/v2/GoogleApacheHttpTransport.java b/google-api-client/src/main/java/com/google/api/client/googleapis/apache/v2/GoogleApacheHttpTransport.java index b1a798506..9cc1d2667 100644 --- a/google-api-client/src/main/java/com/google/api/client/googleapis/apache/v2/GoogleApacheHttpTransport.java +++ b/google-api-client/src/main/java/com/google/api/client/googleapis/apache/v2/GoogleApacheHttpTransport.java @@ -45,8 +45,10 @@ public final class GoogleApacheHttpTransport { /** - * Returns a new instance of {@link ApacheHttpTransport} that uses default jdk certs for the - * trusted certificates. + * Returns a new instance of {@link ApacheHttpTransport} that uses default jdk certificates for + * the trusted certificates. If `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set + * to "true", and the default client certificate key store from {@link Utils#loadDefaultMtlsKeyStore()} + * is not null, then the transport uses the default client certificate and is mutual TLS. */ public static ApacheHttpTransport newTrustedTransport() throws GeneralSecurityException, IOException { @@ -56,8 +58,7 @@ public static ApacheHttpTransport newTrustedTransport() /** * {@link Beta}
* Returns a new instance of {@link ApacheHttpTransport} that default jdk certs for the - * trusted certificates. mtlsProvider can be used - * to configure mutual TLS for the transport. + * trusted certificates. mtlsProvider can be used to configure mutual TLS for the transport. * * @param mtlsProvider MtlsProvider to configure mutual TLS for the transport */ From c13a592094ed4486bb6103187c83ca82fe2a4e2b Mon Sep 17 00:00:00 2001 From: ldetmer Date: Wed, 11 Feb 2026 12:07:26 -0500 Subject: [PATCH 5/7] fixed formatting and added additional test --- .../apache/v5/GoogleApache5HttpTransport.java | 12 ++++++------ .../v5/ITGoogleApache5HttpTransportTest.java | 19 +++++++++++++++++++ .../apache/v2/GoogleApacheHttpTransport.java | 11 ++++++----- 3 files changed, 31 insertions(+), 11 deletions(-) diff --git a/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransport.java b/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransport.java index 4629ae962..f056024eb 100644 --- a/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransport.java +++ b/google-api-client-apache-v5/src/main/java/com/google/api/client/googleapis/apache/v5/GoogleApache5HttpTransport.java @@ -47,9 +47,10 @@ public final class GoogleApache5HttpTransport { /** * Returns a new instance of {@link Apache5HttpTransport} that uses default jdk certificates for - * the trusted certificates. If `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set - * to "true", and the default client certificate key store from {@link Utils#loadDefaultMtlsKeyStore()} - * is not null, then the transport uses the default client certificate and is mutual TLS. + * the trusted certificates. If `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to + * "true", and the default client certificate key store from {@link + * Utils#loadDefaultMtlsKeyStore()} is not null, then the transport uses the default client + * certificate and is mutual TLS. */ public static Apache5HttpTransport newTrustedTransport() throws GeneralSecurityException, IOException { @@ -58,9 +59,8 @@ public static Apache5HttpTransport newTrustedTransport() /** * {@link Beta}
- * Returns a new instance of {@link Apache5HttpTransport} that uses default jdk certificates - * for the trusted certificates. mtlsProvider can be used to configure mutual TLS for the - * transport. + * Returns a new instance of {@link Apache5HttpTransport} that uses default jdk certificates for + * the trusted certificates. mtlsProvider can be used to configure mutual TLS for the transport. * * @param mtlsProvider MtlsProvider to configure mutual TLS for the transport */ diff --git a/google-api-client-apache-v5/src/test/java/com/google/api/client/googleapis/apache/v5/ITGoogleApache5HttpTransportTest.java b/google-api-client-apache-v5/src/test/java/com/google/api/client/googleapis/apache/v5/ITGoogleApache5HttpTransportTest.java index db03ab720..8398606d3 100644 --- a/google-api-client-apache-v5/src/test/java/com/google/api/client/googleapis/apache/v5/ITGoogleApache5HttpTransportTest.java +++ b/google-api-client-apache-v5/src/test/java/com/google/api/client/googleapis/apache/v5/ITGoogleApache5HttpTransportTest.java @@ -74,4 +74,23 @@ public Void handleResponse(ClassicHttpResponse response) { } }); } + + @Test + public void testHttpRequestPassesWhenMakingRequestToSiteContainedInDefaultCerts() + throws Exception { + Apache5HttpTransport apache5HttpTransport = GoogleApache5HttpTransport.newTrustedTransport(); + HttpGet httpGet = new HttpGet("https://central.sonatype.com/"); + + apache5HttpTransport + .getHttpClient() + .execute( + httpGet, + new HttpClientResponseHandler() { + @Override + public Void handleResponse(ClassicHttpResponse response) { + assertEquals(200, response.getCode()); + return null; + } + }); + } } diff --git a/google-api-client/src/main/java/com/google/api/client/googleapis/apache/v2/GoogleApacheHttpTransport.java b/google-api-client/src/main/java/com/google/api/client/googleapis/apache/v2/GoogleApacheHttpTransport.java index 9cc1d2667..11c8dbbf3 100644 --- a/google-api-client/src/main/java/com/google/api/client/googleapis/apache/v2/GoogleApacheHttpTransport.java +++ b/google-api-client/src/main/java/com/google/api/client/googleapis/apache/v2/GoogleApacheHttpTransport.java @@ -46,9 +46,10 @@ public final class GoogleApacheHttpTransport { /** * Returns a new instance of {@link ApacheHttpTransport} that uses default jdk certificates for - * the trusted certificates. If `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set - * to "true", and the default client certificate key store from {@link Utils#loadDefaultMtlsKeyStore()} - * is not null, then the transport uses the default client certificate and is mutual TLS. + * the trusted certificates. If `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to + * "true", and the default client certificate key store from {@link + * Utils#loadDefaultMtlsKeyStore()} is not null, then the transport uses the default client + * certificate and is mutual TLS. */ public static ApacheHttpTransport newTrustedTransport() throws GeneralSecurityException, IOException { @@ -57,8 +58,8 @@ public static ApacheHttpTransport newTrustedTransport() /** * {@link Beta}
- * Returns a new instance of {@link ApacheHttpTransport} that default jdk certs for the - * trusted certificates. mtlsProvider can be used to configure mutual TLS for the transport. + * Returns a new instance of {@link ApacheHttpTransport} that default jdk certs for the trusted + * certificates. mtlsProvider can be used to configure mutual TLS for the transport. * * @param mtlsProvider MtlsProvider to configure mutual TLS for the transport */ From 6ea8e22afe549cd5a3f3006513014dce5737cbdf Mon Sep 17 00:00:00 2001 From: ldetmer Date: Wed, 11 Feb 2026 12:14:13 -0500 Subject: [PATCH 6/7] added IT tests for apache http transport --- .../v2/ITGoogleApacheHttpTransportTest.java | 102 ++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 google-api-client/src/test/java/com/google/api/client/googleapis/apache/v2/ITGoogleApacheHttpTransportTest.java diff --git a/google-api-client/src/test/java/com/google/api/client/googleapis/apache/v2/ITGoogleApacheHttpTransportTest.java b/google-api-client/src/test/java/com/google/api/client/googleapis/apache/v2/ITGoogleApacheHttpTransportTest.java new file mode 100644 index 000000000..ef02117ad --- /dev/null +++ b/google-api-client/src/test/java/com/google/api/client/googleapis/apache/v2/ITGoogleApacheHttpTransportTest.java @@ -0,0 +1,102 @@ +/* + * Copyright 2025 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License + * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the License for the specific language governing permissions and limitations under + * the License. + */ + +package com.google.api.client.googleapis.apache.v2; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.fail; + +import com.google.api.client.http.apache.v2.ApacheHttpTransport; +import java.io.IOException; +import java.security.GeneralSecurityException; +import javax.net.ssl.SSLHandshakeException; +import org.apache.http.HttpResponse; +import org.apache.http.client.ClientProtocolException; +import org.apache.http.client.ResponseHandler; +import org.apache.http.client.methods.HttpGet; +import org.junit.Test; + +public class ITGoogleApacheHttpTransportTest { + + @Test + public void testHttpRequestFailsWhenMakingRequestToSiteWithoutDefaultJdkCerts() + throws GeneralSecurityException, IOException { + ApacheHttpTransport apacheHttpTransport = GoogleApacheHttpTransport.newTrustedTransport(); + // Use a self-signed certificate site that won't be trusted by default trust store + HttpGet httpGet = new HttpGet("https://self-signed.badssl.com/"); + Exception exception = null; + try { + apacheHttpTransport + .getHttpClient() + .execute( + httpGet, + new ResponseHandler() { + + @Override + public Object handleResponse(HttpResponse httpResponse) + throws ClientProtocolException, IOException { + fail("Should not have been able to complete SSL request with untrusted cert."); + return null; + } + }); + fail("Expected SSLHandshakeException was not thrown"); + } catch (SSLHandshakeException e) { + exception = e; + } + + assertNotNull(exception); + assertEquals(exception.getClass(), SSLHandshakeException.class); + } + + @Test + public void testHttpRequestPassesWhenMakingRequestToGoogleSite() throws Exception { + ApacheHttpTransport apacheHttpTransport = GoogleApacheHttpTransport.newTrustedTransport(); + HttpGet httpGet = new HttpGet("https://www.google.com/"); + + apacheHttpTransport + .getHttpClient() + .execute( + httpGet, + new ResponseHandler() { + @Override + public Object handleResponse(HttpResponse httpResponse) + throws ClientProtocolException, IOException { + assertEquals(200, httpResponse.getStatusLine().getStatusCode()); + return null; + } + }); + } + + @Test + public void testHttpRequestPassesWhenMakingRequestToSiteContainedInDefaultCerts() + throws Exception { + + ApacheHttpTransport apacheHttpTransport = GoogleApacheHttpTransport.newTrustedTransport(); + HttpGet httpGet = new HttpGet("https://central.sonatype.com/"); + + apacheHttpTransport + .getHttpClient() + .execute( + httpGet, + new ResponseHandler() { + @Override + public Object handleResponse(HttpResponse httpResponse) + throws ClientProtocolException, IOException { + assertEquals(200, httpResponse.getStatusLine().getStatusCode()); + return null; + } + }); + } +} From 3b4c781b552b543d1ac70d679667f3bea57f6590 Mon Sep 17 00:00:00 2001 From: ldetmer Date: Wed, 11 Feb 2026 12:20:30 -0500 Subject: [PATCH 7/7] move documentation update to separate PR --- docs/oauth-2.0.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/oauth-2.0.md b/docs/oauth-2.0.md index 029b12bef..56a72b165 100644 --- a/docs/oauth-2.0.md +++ b/docs/oauth-2.0.md @@ -47,7 +47,7 @@ For instructions on setting up your credentials properly, see the already have an access token, you can make a request in the following way: ```java -import com.google.api.client.http.javanet.NetHttpTransport; +import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport; import com.google.api.client.json.gson.GsonFactory; import com.google.api.services.books.Books; import com.google.auth.http.HttpCredentialsAdapter; @@ -59,7 +59,7 @@ GoogleCredentials credentials = Books books = new Books.Builder( - new NetHttpTransport(), + GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance(), new HttpCredentialsAdapter(credentials)) .setApplicationName("BooksExample/1.0") @@ -79,7 +79,7 @@ App Engine takes care of all of the details. You only specify the OAuth 2.0 scope you need. ```java -import com.google.api.client.http.javanet.NetHttpTransport; +import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport; import com.google.api.client.json.gson.GsonFactory; import com.google.api.services.books.Books; import com.google.appengine.api.appidentity.AppIdentityService; @@ -99,7 +99,7 @@ GoogleCredentials credentials = Books books = new Books.Builder( - new NetHttpTransport(), + GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance(), new HttpCredentialsAdapter(credentials)) .setApplicationName("BooksExample/1.0") @@ -373,7 +373,7 @@ a private key downloaded from the [Google API Console][console]. For example, you can make a request in the following way: ```java -HttpTransport httpTransport = new NetHttpTransport(); +HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport(); JsonFactory jsonFactory = GsonFactory.getDefaultInstance(); //Build service account credential @@ -405,12 +405,12 @@ additionally call [`GoogleCredential.Builder.setServiceAccountUser(String)`][set This is the command-line authorization code flow described in [Using OAuth 2.0 for Installed Applications][oauth2-installed-app]. -Example usage: +Example snippet from [plus-cmdline-sample][plus-sample]: ```java public static void main(String[] args) { try { - httpTransport = new NetHttpTransport(); + httpTransport = GoogleNetHttpTransport.newTrustedTransport(); dataStoreFactory = new FileDataStoreFactory(DATA_STORE_DIR); // authorization Credential credential = authorize();