I have a machine running Jetty. On there I have multiple jetty instances running on different ports. For instance I have the "live" version running on the default port 80. I also have the "R&D" version running on the same machine but on port 2280. This works just fine, however the client needed to add SSL so the default would now be running off port 443. The issue is when I try to run both at the same time the R&D version will fail because it is trying to map to 443 because of the SSL. The config still has the R&D pointing to 2280 but does not start. Is there a way to run both at the same time using the single SSL certificate? I tried adding connectors in the jetty.xml file but that did not work. Thanks.
How are you adding the connector? You can definitely configure the port of the connector.
I typically run Jetty programmatically, and my code is as follows:
int httpsPort = ...;
HttpConfiguration httpConfig = new HttpConfiguration();
httpConfig.setSecureScheme("https");
httpConfig.setSecurePort(httpsPort);
SslContextFactory sslContextFactory = new SslContextFactory();
// configure sslContextFactory: keystore, session timeout, exlcluded protocols etc...
ServerConnector httpsCon = new ServerConnector(server, new SslConnectionFactory(sslContextFactory, "http/1.1"), new HttpConnectionFactory(httpConfig));
httpsCon.setPort(httpsPort);
server.addConnector(httpsCon);
Sorry, I am not sure how to configure that via XML server configuration, but they tend to map very closely between XML config and programmatic config.
Related
I'm trying to make a ssl webserver with jetty, but I do not want to provide the server certificate if any client tries to connect. On normal cases anybody can download the server certificate, trust and connect to the server. But I would like to install the server certificate manuelly on my client to be sure, that only my client has that cert and can connect to my server.
Is that possible? I didn't find anything around the web related to Jetty.
I'm playing with some example code and my truststore. Nothing special.
final Server server = new Server();
server.setHandler(new HelloWorld());
final HttpConfiguration httpConfiguration = new HttpConfiguration();
httpConfiguration.setSecureScheme("https");
httpConfiguration.setSecurePort(8085);
final ServerConnector http = new ServerConnector(server,
new HttpConnectionFactory(httpConfiguration));
http.setPort(8081);
server.addConnector(http);
final SslContextFactory sslContextFactory = new SslContextFactory("mykey.jks");
sslContextFactory.setKeyStorePassword("tester");
sslContextFactory.setNeedClientAuth(true);
final HttpConfiguration httpsConfiguration = new HttpConfiguration(httpConfiguration);
httpsConfiguration.addCustomizer(new SecureRequestCustomizer());
final ServerConnector httpsConnector = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()),
new HttpConnectionFactory(httpsConfiguration));
httpsConnector.setPort(8085);
server.addConnector(httpsConnector);
server.start();
server.join();
I know, that's a special usecase. If there is a better solution, let me know (and no, login session is no option for me). It has to be as simple as it is possible.
Instead of attempting security though obscurity you should implement Two Way SSL. You can take a look at 2-Way SSL with Java: The Keystore Strikes Back article.
The client can always blindly trust or ignore any certificate presented by the server. As long as someone knows the server address they will be able to make a request.
So i have a java app that uses Google Analytics API to gather some info. I am putting this application to run in my oracle cloud managed server which has a firewall and blocks any web calls to work. So, they setup a proxy for me to use....I've never set up a proxy to work with a java application before, I've been reading at tutorials like this: http://docs.oracle.com/javase/1.5.0/docs/guide/net/proxies.html
And i have no idea how to set this up...anyone want to point me in the right direction?
You must tell your application that there's a proxy somewhere.
As the documentation says, you must set some properties in your virtual machine. You can do it programatically:
//Set the http proxy to webcache.mydomain.com:8080
System.setProperty("http.proxyHost", "webcache.mydomain.com");
System.setPropery("http.proxyPort", "8080");
// Next connection will be through proxy.
URL url = new URL("http://java.sun.com/");
InputStream in = url.openStream();
// Now, let's 'unset' the proxy.
System.clearProperty("http.proxyHost");
// From now on http connections will be done directly.
Or use https.proxy... if the connection is HTTPS.
Besides, if you have access to the application server start script, you could add those properties as VM properties with -Dhttp.proxyHost....
The solution in my case was to configure the JVM with a HTTPS proxy:
System.setProperty("https.proxyHost", "proxy");
System.setProperty("https.proxyPort", "3128");
I've been serving a web application over HTTPS on the default port of 443 with embedded Jetty (let's call that serverA) on Ubuntu 14.04 (using a self-signed certificate). It's been working fine for ages now, but I want to run another embedded Jetty web server (serverB) on the same machine. I'd like serverB to run SSL using the default port 443, so I need to change serverA to listen for requests on some other port.
I've been trying serverA with 444 and 8080. The server fires up just fine, telling me that it's listening for requests on the correct port. but requests just hang and the server logs are telling me nothing. If I start the server up listening on port 443, then everything works fine.
I didn't think it matters which port I use as long as I have the web server configured to use SSL. Is there something else I need to do?
Here's my launch code:
// Java 7 bug (feature?) - this disables SNI everywhere...
// required or else outgoing HTTPS requests will fail
System.setProperty("jsse.enableSNIExtension", "false");
PropertyConfigurator.configure("./log4j.properties");
Server server = new Server();
WebAppContext webapp = new WebAppContext();
webapp.setContextPath("/");
webapp.setWar("war");
server.setHandler(webapp);
HttpConfiguration https = new HttpConfiguration();
https.addCustomizer(new SecureRequestCustomizer());
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath("keystore.jks");
sslContextFactory.setKeyStorePassword("password");
sslContextFactory.setKeyManagerPassword("password");
ServerConnector sslConnector = new ServerConnector(server,
new SslConnectionFactory(sslContextFactory, "http/1.1"),
new HttpConnectionFactory(https));
sslConnector.setPort(port);
server.setConnectors(new Connector[] { sslConnector });
try {
LOG.info("Starting server on port " + port);
server.start();
server.join();
} catch (Exception e) {
LOG.fatal("The web server has crashed", e);
}
Note: The reason this is on StackOverflow and not SuperUser or something else is because, from what I understand, the port used for HTTPS is not important. I'm assuming this is a Jetty issue, then.
Edit:
Sorry, forgot to mention Jetty version. It's 9.2.0
Try this, as you didn't tell jetty what is considered secure, its just using defaults.
HttpConfiguration https = new HttpConfiguration();
https.setSecurePort(port); /* missing this */
https.addCustomizer(new SecureRequestCustomizer());
This might seem strange, but is actually needed, because you can be considered secure even if the connection arrived in a non-secure way. Such as from a proxy or an ssl terminated load balancer in front of jetty (the variety of ways is quite stunning)
I have an application deployed on tomcat in linux rhel 5 , now this application makes an external call to internet and my server is behind the proxy server , now how do I configure the tomcat server for it to understand the proxy.
Is there a configuration I can do to redirect all requests send by tomcat to external servers
Also to mention that I did make the entries into catalina.properties
http.proxyHost=
http.proxyPort=8080
Alternatively, configure them as VM parameters in catalina.bat.
-Dhttp.proxyHost=<> -DproxyPort=8080
Another approach would be to configure them at the application level. If you are using java's own api to invoke external url, the proxy could be set as follows. In case you are using another library like apache httpclient, it provides methods to configure the proxy.
SocketAddress proxyAddress = new InetSocketAddress(proxyHost, proxyPort);
Proxy proxy = new Proxy(Type.HTTP, proxyAddress);
URL url = new URL(externalURL);
HttpURLConnection conn = (HttpURLConnection) url.openConnection(proxy);
Is there any way to configure an additional SSL listener port on an existing WebLogic server that uses a different keystore and truststore configuration from the "main" SSL port?
I don't think you can use multiple keystores for the same server - Even if you're using custom key/trust stores, you should be able to consolidate everything (using import/export for keytool/ikeyman).
Under the Server -> Protocols -> Channels tab, you can define an additional port using your SSL protocol of choice (t3s/https/iiops/ldaps) but your issue should be resolved by using the earlier suggestion alone.