Capture HTTPS Traffic in Java with Eclipse, and Fiddler

Wed Oct 07 2015 09:41:35 GMT+0000 (Coordinated Universal Time)
  • blog
  • eclipse
  • fiddler
  • https
  • java
  • I've been struggling with a JSON parsing error where my application is using the Spring to send and receive messages from a RESTful Web Service. It's pretty straight forward: I've annotated my object properties to match up with the appropriate JSON keys, Spring takes my POJO and turns it into a JSON string sends the request along with the JSON as the body to the HTTPS endpoint, et voilà!

    I've been struggling with a JSON parsing error where my application is using the Spring to send and receive messages from a RESTful Web Service. It's pretty straight forward: I've annotated my object properties to match up with the appropriate JSON keys, Spring takes my POJO and turns it into a JSON string sends the request along with the JSON as the body to the HTTPS endpoint, et voilà!

    The Problem

    The problem comes in when something goes wrong with the request/response. Because the Spring obfuscates the actual request/response content, debugging it means you need to take a look at the traffic being sent over the wire. Since we're using a good RESTful service, the connection is done through HTTPS, meaning it's encrypted with a certificate that we don't have.

    On top of that, it appears that Fiddler doesn't automatically capture Java HTTP traffic automatically, so that's a thing too.

    After some internet sleuthing, I put together a solution that I wanted to share with you all, and so that I don't forget how to do it myself.

    Setup

    1. Downlaod and Install Fiddler. I used Fiddler4, because I'm awesome.
    2. Run it and make sure it's capturing HTTP traffic
    3. Open Tools --> Fiddler Options --> Connections Tab and take note of the "Fiddler listens on port" value. It's likely 8888, but best to be sure.
    4. In the same window select HTTPS Tab and make sure sure that the following options are checked:
      • Capture HTTPS CONNECTS
      • Decrypt HTTPS traffic (...from all processes)
    1. Read, and if you're alright with it, install the certificate.
    2. On the HTTPS tab, click the Export Root Certificate to Desktop and click OK.

    Generating a Keystore

    1. Open a command line terminal as an administrator
    2. Run the keytool for the JDK your application is using:
    <JDK_Home>\bin\keytool.exe -import -file C:\Users\<Username>\Desktop\FiddlerRoot.cer^
     -keystore FiddlerKeystore -alias Fiddler
    
    1. Enter a password and remember it
    2. Your keystore is created as a file named "FiddlerKeystore*. Take note of where it is located on your machine.

    Configuring Eclipse

    NOTE: You are not required to use Eclipse for this, but it seems to be the popular way of writing Java code.

    1. Open your project and go to Run --> Run Configurations
    2. Select the Run Configuration you want to use where you'll capture the HTTPS traffic.
    3. Select the Arguments tab
    4. Add the following to the VMargs textbox:
    -DproxySet=true
    -DproxyHost=127.0.0.1
    -DproxyPort=8888
    -Djavax.net.ssl.trustStore="path\to\keystore\FiddlerKeystore"
    -Djavax.net.ssl.trustStorePassword=yourpassword
    
    1. Click the Apply button
    2. Click the Run button to try it out

    Tada! You're done, and you should now be able to run your code and see the HTTP request and response, completely.

    Alternative Solution --- Configuring Your Code

    Add the following lines to the application that you want to capture the HTTPS traffic.

    		// for capturing HTTP traffic
    		System.setProperty("http.proxyHost", "127.0.0.1");
    		System.setProperty("http.proxyPort", "8888");
    		// for capturing HTTPS traffic
    		System.setProperty("https.proxyHost", "127.0.0.1");
    		System.setProperty("https.proxyPort", "8888");
    

    -- Thanks for playing. ~ DW

    References
    1. Stack Overflow - How to Capture HTTPS with Fiddler in Java
    2. How to Use Eclipse with Fiddler