How to set up SSL on an embedded Jetty? - ssl

I've got jetty 7.x embedded. Basically just creating a SelectChannelConnector to listen on port 80 and WebAppContext to deploy a single WAR directory.
I need to add SSL now (all the keystore stuff is done), and I would have guessed to just add an SslSelectChannelConnector, but all the methods are deprecated without any javadocs to explain why, and what to do instead. And the Jetty/SSL docs only show some XML without describing what to do with it.
Can anyone get me the entry point here to setting up SSL an an embedded instance of Jetty? I don't think this will be complicated, I just don't know what class to start with in the current release.

A response from the Jetty Users Email Group:
David,
You need to create an instance of
SslContextFactory and configure it
with your keystore parameters. After
that you'll need to pass that instance
to the SslSelectChannelConnector's
constructor. Recently modified
configuration file jetty-ssl.xml shows
how it is done in XmlConfiguration,
and could be easily translated into
code. This will be documented in Jetty
Wiki as soon as we get a chance.
-Michael

I've been using this and it works just fine for me thus far:
//Set up SSL keystore
SslContextFactory sslContextFactory = new SslContextFactory("/etc/mykeystore");
sslContextFactory.setKeyStorePassword("yourpassword");
SslSelectChannelConnector selectChannelConnector = new SslSelectChannelConnector(sslContextFactory);
selectChannelConnector.setPort(4567); //your port

Related

How do make an SSL Connection from a Kong serverless function using a client certificate

I'm trying to create a serverless function for Kong for authentication purposes. I'm required to use a client certificate to authenticate with the remote service that we have to use. I can't seem to get this working and there appears to be no clear documentation on how to do this. I've tried pintsized/lua-resty-http, ngx.socket.tcp(), and luacurl (failed to build) without success. I'm using the newest version of Kong in an Alpine Linux container in case that matters.
What is the best way to do this? Right now I'm considering simply calling curl from within Lua as I know that works, but I was hoping for a better solution that I can do with just Lua/OpenResty.
Thanks.
UPDATE: I just wanted to add, just in case it helps, that I'm already building a new image based on the official Kong one as I had to modify the nginx configuration templates, so installing new software into the container is not an issue.
All,
Apologies for the ugly code, but it looks like a found an answer that works:
require("socket")
local currUrl= "https://some.url/"
local https = require("ssl.https")
local ltn12 = require("ltn12")
local chunks = {}
local body, code, headers, status = https.request{
mode = "client",
url = currUrl,
protocol = "tlsv1_2",
certificate = "/certs/bundle.crt",
key = "/certs/bundle.key",
verify = "none",
sink = ltn12.sink.table(chunks),
}
If someone has a better answer, I'd appreciate it, but it's hard to complain about this one. The main issue is that while this works for a GET request, I'll be wanting to do POSTs to a service in a future and I have no idea how to do it using similar code. I'd like one libary/API that can do any type of REST request.
This blog got me on the right track: http://notebook.kulchenko.com/programming/https-ssl-calls-with-lua-and-luasec

JHipster - Problems with the configuration of LDAPS

I've genrated my application with JHipster. I've changed the authentication way in my project to use LDAPS.
I added configuration in application.yml
Server SSL:
key-store: classpath:keystore.jks
key-store-password: secret
key-password: secret
I didn't add any other code (i.e. java) for this certificate.
When I try to launch my application in a browser, it doesn't work; however if I delete this configuration, it works. Does my application really needs a certificate for the connection to LDAPS?
What is wrong with this code, should I add java code somewhere to complete my configuration?
Thanks for your answers
Not enough information to help you. Which version of JHipster, which authentication did you choose when generating your app?
To make it work with LDAP you must change the SecurityConfiguration class.

Grails generating proper links when deployed behind proxy

Consider the following setup for a deployed Grails application.
the Grails application is deployed on a Tomcat server (tomcat7)
in front of Tomcat an Apache webserver is deployed
Apache does SSL offloading, and acts as a proxy for Tomcat
So far a quite standard setup, which I have used succesfully many times. My issue is now with the links generated by the Grails application, especially those for the redirects (the standard controller redirects, which occur all the time e.g. after succesfully posting a form).
One configuration is different from all the other applications so far: in this Grails application no serverURL is configured. The application is a multi-tenant application, where each tenant is given it's own subdomain. (So if the application in general is running under https://www.example.com, a tenant can use https://tenant.example.com.) Subdomains are set automagically, that is without any configuration at DNS or Apache level. Grails can do so perfectly, by leaving out the serverURL property in Config.groovy: it then resolves all url's by inspecting the client host.
However: when generating redirect-url's, Grails is not aware the website is running under https. All redirect url's start with http... I guess this is no surprise, because nowhere in the application it is configured we are using https: there is no serverURL config, and technically the application is running on the standard http port of Tomcat, because of the SSL offloading and proxying by Apache.
So, bottom line: what can I do to make Grails generate proper redirects?
I have tried to extend the DefaultLinkGenerator and override the makeServerURL() method. Like this:
class MyLinkGenerator extends DefaultLinkGenerator {
MyLinkGenerator(String serverBaseURL, String contextPath) {
super(serverBaseURL, contextPath)
}
MyLinkGenerator(String serverBaseURL) {
super(serverBaseURL)
}
def grailsApplication
/**
* #return serverURL adapted to deployed scheme
*/
String makeServerURL() {
// get configured protocol
def scheme = grailsApplication.config.grails.twt.baseProtocol ?: 'https://'
println "Application running under protocol $scheme"
// get url from super
String surl = super.makeServerURL()
println "> super.makeServerURL(): $surl"
if (surl) {
// if super url not matching scheme, change scheme
if (scheme=='https://' && surl?.startsWith('http://')) {
surl = scheme + surl?.substring(7)
println "> re-written: $surl"
}
}
return surl
}
}
(Maybe not the most beautiful code, but I hope it explains what I'd like to do. And I left out the bit about configuring this class in resources.groovy.)
When running this code strange things happen:
In the log you see the code being executed, and a changed url (http > https) being produced, but...
The redirect sent to the browser is the unchanged url (http)
And even worse: all the resources in the generated views are crippled: they now all start with // (so what should be a relative "/css/myapp.css" is now "//css/myapp.css")
Any help or insight would be appreciated!
Grails version is 2.1.1 by the way (running a bit behind on upgrades...).
It seems you're always talking https to the outside world, so your cleanest option is to solve the problem where it originates, at your Apache webserver. Add to httpd.conf Header edit Location ^http://(.*)$ https://$1, and you're done.
If you have limitations that force you to solve this in your application you could do the rewrite of the Location header field in a Grails after interceptor. Details of that solution are in this post.
Some years have past since this question was written, but problems remain the same or at least similar ;-)
Just in case anyone hits the same/similar issue (that Grails redirect-URLs are http instead of https) ... We had this issue with a Grails 3.3.9 application running on OpenShift. The application was running in HTTP mode (on Port 8080) and the OpenShift Loadbalancer was doing the SSL-Termination.
We solved it by putting
server:
use-forward-headers: true
into our application.yml. After that Grails works perfect and all the redirects created were correct with https://.
Hint: We have do not use grails.serverURL in our configuration

DataSource naming JBossEAP 6.2 vs Web Logic

I am porting a suite of related applications from WebLogic to JBoss EAP v6.2.
I have set up a data source connection using the JBoss command line interface and hooked it to an oracle database. This database has a name of "mydatasource" and a JNDI name of
"java:jboss/datasources/mydatasource" as per JBoss standards. I can test and validate this database connection.
However, when I try to port the code and run it, the connection doesn't work. The code that worked in WebLogic was simply:
InitialContext ic = new InitialContext() ;
DataSource ds = (DataSource)ic.lookup(dataSource) ;
with a value in dataSource of "mydatasource".
This worked in Web Logic but in JBoss it throws a NameNotFoundException
javax.naming.NameNotFoundException: mydatasource-- service jboss.naming.context.java.mydatasource
Clearly there is a difference in how the InitialContext is set up between the two servers.
But this port involves a large number of small applications, all of which connect to the datasource via code like that above. I don't want to rewrite all that code.
Is there a way through configuration (InitialContextFactory, maybe) to define the initial context such that code like that above will work without rewriting, or perhaps is there another way of naming the datasource that JBoss will accept that would allow code like that above to work without rewriting?
Or must we bite the bullet and accept that this code needs a rewrite?
Update: Yes, I know that simply passing "java:jboss/datasources/mydatasource" to the InitialContext lookup solves the problem, but I am looking for a solution via configuration, rather than via coding if there is such a solution.
The way to do this correctly through configuration is to use
java:comp/env/jdbc/myDataSource
then use resource-ref in web.xml to map it to the declare datasource and use weblogic.xml or jboss-web.xml to actually map it to the real one
in weblogic admin console, when you define datasource it can be jdbc/realDataSource
JNDI path Tomcat vs. Jboss
For weblogic http://docs.oracle.com/cd/E13222_01/wls/docs103/jdbc_admin/packagedjdbc.html

To implement SSL on JMX

I am new to jmx and ssl. Now I am trying to implement jmx with ssl.
I have created keystore and truststore as specified in the link http://www.techbrainwave.com/?p=953.
And implemented a simple java application in eclipse as in https://blogs.oracle.com/jmxetc/entry/jmx_connecting_through_firewalls_using. I configured kestore and truststore files like this,
System.setProperty("javax.net.ssl.keyStore", "C:\\Users\\Administrator\\Desktop\\Certificates\\keystore.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "123456");
Now I have to run the application with jboss. So I edited properties - services.xml. set the same properties with tag like this,
<attribute name="Properties">
javax.net.ssl.trustStore = C:\\Users\\Administrator\\Desktop\\certificates\\truststore.jks
</attribute>
It is working now. My doubt is is this the correct way of implementing jmx and SSL with jboss? or do I have any other way to implement it? please tell me if I am wrong.
Thanks in advance,
its a right way, you can check this link for more details, if you need to run your application in jboss you can specify the properties in wrapper conf