SslContextFactory sec = new SslContextFactory();
sec.setValidateCerts(false);
WebSocketClient client = new WebSocketClient(sec);
The above code is implemented for Jetty WebSockets, to tell the java client to disable certificate validation. Is there any way I can achieve the same in Java API for Tomcat8 WebSockets (JSR-356)?
PS: I have tried this method. It didn't work for Secure WebSocket connection of Tomcat WebSockets
Did you generate self signed certificate and trying to use it?
Then import your self signed certificate to new keystore and use that keystore as a trust store on your client side.
For a tyrus websocket client, I use like this:
String keyStorePath = StompClientTest.class.getResource("/myapp.keystore").getPath();
System.getProperties().put("javax.net.debug", "all"); // debug your certificate checking
System.getProperties().put(SslContextConfigurator.KEY_STORE_FILE, keyStorePath);
System.getProperties().put(SslContextConfigurator.TRUST_STORE_FILE, keyStorePath);
System.getProperties().put(SslContextConfigurator.KEY_STORE_PASSWORD, "secret");
System.getProperties().put(SslContextConfigurator.TRUST_STORE_PASSWORD, "secret");
final SslContextConfigurator defaultConfig = new SslContextConfigurator();
defaultConfig.retrieve(System.getProperties());
SslEngineConfigurator sslEngineConfigurator = new SslEngineConfigurator(defaultConfig);
sslEngineConfigurator.setHostVerificationEnabled(false);
StandardWebSocketClient webSocketClient = new StandardWebSocketClient();
webSocketClient.getUserProperties().put(ClientProperties.SSL_ENGINE_CONFIGURATOR, sslEngineConfigurator);
For tomcat read answer in following question: https://stackoverflow.com/a/32205864/386213
Related
Is there any example of how make a HTTPS call with a hapi fhir client ?
FhirContext ctx = new FhirContext();
IGenericClient client = ctx.newRestfulGenericClient("https://fhirtest.uhn.ca/base");
By default the above code will not work as the server will require SSL authentication.
how do I add SSL authentication to the hapi client ??
The next example shows how to connect to a FHIR server using https while using the HAPI FHIR client. Please be aware that this example accepts all certificates. To make it secure you should specify a truststore and a different hostname verifier.
FhirContext ctx = new FhirContext();
KeyStore truststore = null;
SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(truststore, new TrustSelfSignedStrategy()).build();
HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
SSLConnectionSocketFactory sslFactory = new SSLConnectionSocketFactory(sslContext, hostnameVerifier);
CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslFactory).build();
ctx.getRestfulClientFactory().setHttpClient(httpClient);
IGenericClient client = ctx.newRestfulGenericClient("https://fhirtest.uhn.ca/base");
How do I enable secure connections with CometD?
I have an app that is working when I use an "http" protocol for the BayeuxServer. If I switch to "https", I get failed handshakes.
What is the correct way to use a secure connection in CometD?
This is via the Java Client.
Here is the error:
{failure={exception=java.lang.NullPointerException, message={ext={ack=true}, supportedConnectionTypes=[long-polling], channel=/meta/handshake, id=4, version=1.0}, connectionType=long-polling}, channel=/meta/handshake, id=4, subscription=null, successful=false}
I do not see any exceptions on the server (ie, the null pointer is not in our code), and if I use HTTP, it works fine.
I've pieced together the following for the Java client side:
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setTrustAll(true); // only interacting with our backend, so accept self-signed certs
WebSocketClient webSocketClient = new WebSocketClient(sslContextFactory);
webSocketClient.start();
ClientTransport wsTransport = new JettyWebSocketTransport(null, null, webSocketClient);
HttpClient httpClient = new HttpClient(sslContextFactory);
httpClient.start();
ClientTransport httpTransport = new LongPollingTransport(null, httpClient);
I believe that will do it.
I still need to figure out how to configure the server side cometd to accept the secure connections. I am using the Spring setup.
The answer to the server side is: Its a pain in the ass.
Here is how you can get it working with the jetty maven plugin:
http://juplo.de/configure-https-for-jetty-maven-plugin-9-0-x/#comment-53352
I have been attempting to have my jersey client do a ssl client authentication with my Jersey/Grizzly Rest api. Other clients are successful handshaking with this server, but I am having trouble with my java client using Jersey client. When I run the code below, the keystore is successfully loaded and when the SslConfigurator's createSSLContext() is called, the ssl debug output shows this keystore properly being accessed and my private keys found.
However, when the Client's WebTarget is used, the ssl debug output shows the handshake is happening with the default keystore JKS. Why isn't the ClientBuilder using this keystore from the SSLContext?
File tmpConfigFile = File.createTempFile("pkcs11-", "conf");
tmpConfigFile.deleteOnExit();
PrintWriter configWriter = new PrintWriter(new FileOutputStream(tmpConfigFile), true);
configWriter.println("name=ActiveClient");
configWriter.println("library=\"C:\\\\Program Files\\\\ActivIdentity\\\\ActivClient\\\\acpkcs211.dll\"");
configWriter.println("slotListIndex=0");
SunPKCS11 provider = new SunPKCS11(tmpConfigFile.getAbsolutePath());
Security.addProvider(provider);
// KeyStore keyStore = KeyStore.getInstance("PKCS11", provider);
KeyStore keyStore = KeyStore.getInstance("PKCS11");
keyStore.load(null, null);
ClientConfig config = new ClientConfig();
SslConfigurator sslConfig = SslConfigurator.newInstance()
.keyStore(keyStore)
.keyStorePassword("mypin")
.keyStoreType("PKCS11")
.trustStoreFile(TRUSTORE_CLIENT_FILE)
.trustStorePassword(TRUSTSTORE_CLIENT_PWD)
.securityProtocol("TLS");
final SSLContext sslContext = sslConfig.createSSLContext();
Client client = ClientBuilder
.newBuilder().hostnameVerifier(new MyHostnNameVerifier())
.sslContext(sslContext)
.build();
WebTarget target = client.target("https://localhost:8443/appname/resources/employees?qparam=something");
Response res = target.request().accept(MediaType.APPLICATION_JSON).get();
This code actually worked. The problem was that my server's trust certificate wasn't available for the smart card cert that it needed to trust. I added the correct certs to the truststore on the server and then it worked. The ssl debug messages weren't very clear.
I've run into many issues this time and I found a way to achieve my goals. In your example I can not see any use of ClientConfig config instance. This worked for me:
ClientConfig config = new ClientConfig();
config.connectorProvider(new ApacheConnectorProvider());
Client client = ClientBuilder.newBuilder().hostnameVerifier(new MyHostnNameVerifier())
.sslContext(sslContext).withConfig(config).build();
I found ApacheConnectorProvider more suitable for connections using secure layers or proxies (witch was another huge problem I solved).
I want to connect to a https jira server using the jersey client (version 1.1.9).
How do I need to configure the security options to make use of the REST-API?
I followed these instructions:
Accessing secure restful web services using jersey client
But the first link in the answer is broken and I don't know how to configure the truststore and the keystore. Where do I get these files?
I switched to jersey-client-2.19 and configured the keystore and truststore with the keytool.
System.setProperty("jsse.enableSNIExtension", "false");
SslConfigurator sslConfig = SslConfigurator.newInstance()
.trustStoreFile("C:/Program Files/Java/jre1.8.0_45/lib/security/cacerts.jks")
.trustStorePassword("somepass")
.keyStoreFile("C:/Program Files/Java/jre1.8.0_45/lib/security/keystore.jks")
.keyPassword("somepass");
SSLContext sslContext = sslConfig.createSSLContext();
Client client = ClientBuilder.newBuilder().sslContext(sslContext)
.build();
HttpAuthenticationFeature feature = HttpAuthenticationFeature.basic(
JIRA_ADMIN_USERNAME, JIRA_ADMIN_PASSWORD);
client.register(feature);
WebTarget webTarget = client.target(JIRA_URL);
WebTarget projectWebTarget = webTarget.path("project");
Invocation.Builder invocationBuilder = projectWebTarget
.request(MediaType.APPLICATION_JSON);
Response response = invocationBuilder.get();
System.out.println(response.getStatus());
System.out.println(response.readEntity(String.class));
Maybe there is a better way to set the properties for the keystore and truststore. So please let me know.
I have problem with client certifiacates when I use SPDY with Jetty.
It works when I work with NPN and start Jetty SPDY server with:
SSLconnector = new HTTPSPDYServerConnector(server, sslContextFactory);
As a baseRequest.getHttpChannel() it uses org.eclipse.jetty.spdy.server.http.HttpChannelOverSPDY and I can read SSL properties like SSL_SESSION_ID and client certificates with code like:
// ... HttpServletRequest request
java.security.cert.X509Certificate client_certs[] = (java.security.cert.X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");
But NPN is not an option in Java8 (see my question How to run Jetty with SPDY using ALPN?). In Java8 I have to use ALPN protocol like:
sslContextFactory.setWantClientAuth(w3srv_config.want_client_auth);
// ...
HttpConfiguration httpConfig = new HttpConfiguration();
SslConnectionFactory ssl = new SslConnectionFactory(sslContextFactory, "alpn");
ALPNServerConnectionFactory alpn = new ALPNServerConnectionFactory("spdy/3", "http/1.1");
alpn.setDefaultProtocol("http/1.1");
HTTPSPDYServerConnectionFactory spdy = new HTTPSPDYServerConnectionFactory(SPDY.V3, httpConfig);
HttpConnectionFactory http = new HttpConnectionFactory(httpConfig);
SSLconnector = new ServerConnector(server, new ConnectionFactory[]{ssl, alpn, spdy, http});
//...
With this code I got null when I want to get any SSL related javax.servlet.request.*. Its baseRequest.getHttpChannel() is org.eclipse.jetty.server.HttpConnection$HttpChannelOverHttp.
What I have to change to work with client certificates?
The javax.servlet.request.* properties you are looking for are set by Jetty's SecureRequestCustomizer, which you need to add to the httpConfig object you create in your code example above.
I am guessing that your NPN configuration is slightly different, or you use some utility method in Jetty that does this for you with NPN but not with ALPN.
Just doing:
HttpConfiguration httpConfig = new HttpConfiguration();
httpConfig.addCustomizer(new SecureRequestCustomizer());
should be enough to fix your issue.