I am developing a web application with GWT. Now it is running in development mode in local server with Jetty. Could anyone tell me how can I set up the SSL in this case. Thank you in advance.
I successfully added SSL to a Jetty server in the past following the steps detailed here: http://docs.codehaus.org/display/JETTY/How+to+configure+SSL
The following steps are required to configure Jetty for SSL:
Step 1: Generate or obtain a public/private key pair and x509 certificate.
Step 2: Optionally obtain a certificate from a known certificate authority.
Step 3: Load the keys and the certificates into a JSSE Keystore.
Step 4: Configure a JsseListener with the location and passwords for the keystore.
If you're talking about GWT's DevMode and its embedded Jetty, see http://code.google.com/p/google-web-toolkit/source/browse/trunk/dev/core/src/com/google/gwt/dev/shell/jetty/README-SSL.txt
I always recomend placing a general purpose web server in front of the java server. It is a reverse proxy for the dinamic html and serves directly the static media. The configurability ans flexibility of this configuration is great, and sometimes easier and faster, look at cherokee server, fast, light and has a awesome web interface for administration.
Want to add headers for cross-site ajax?, easy. Configure the *.cache.js to cache forever and the rpc calls to no-cache/private? two clicks!
Related
I'm running two applications on my tomcat sevrer (one is in spring boot, second is in angular which uses the first one) now I want to enable https connections to both of my applications. I have generated the following files:
MyDomain.cer
MyDomain.key
MyDomain.csr
Now I want to secure connection to my applications using TLS 1.2.
And now I'm stuck. According to Tomcat guide i should create a keystore file to store my keys, then I should generate new key. I want to use the files I have already generated, how can I archive this?
Could you describe or redirect me to a page where I can find a step-by-step guide how to configure https on tomcat with the files I have?
found solution:
generate jsk key
put it in tomcat keystore folder (if doesnt exist, create it)
configure server xml to point to key storage with your generated key
more detailed instruction on how to can be found here.
I am building a system on AWS for my client. The client's customers will be able to access a login page and create their own EC2 instance. This EC2 instance will be pre configured with Tomcat and my client's war file auto deployed. The users will be able to access the web application from the ip address. For e.g. Lets say User A logs onto a portal. Clicks on create instance. An instance gets auto provisioned with a URL (like http://18.xx.xx.xx/MyApplication). User A will be able to do a whole bunch of activities on this web site.
Now, is there any way that I can dynamically enable SSL on these. I would need to generate SSL certificates on the fly and attach it to the URL. Ideally UserA should be able to access https://18.xx.xx.xx/MyApplication. Self signed certificates will not cut the ice. This might be rudimentary, but I have limited knowledge on SSL. Any help/tips/links to URLs would be greatly appreciated.
For additional clarity - these instances will not be clustered. User A will have his own instance and his own application. User B will have his own instance and his own application. User A and User B's instances will not be clustered. I need to ensure that User A's instance when created has SSL enabled automatically.
Cheers!
VJ
You may want to setup a DNS with hostnames for each instance. Maybe hostnames like 18-xxx-xxx-xxx.yourdomain.com where "18-xxx-xxx-xxx" is the IP address with - instead of ..
For such hostnames you can generate and renew Let's Encrypt certificates programatically. There exist programs in standard linux repos for generating Let's Encrypt certificates. You cannot generate certificates for IPs. That's why you have to setup hostnames in the first place.
Now you just have to setup the certificate for your Tomcat (programatically).
There's several solutions from AWS that can work for this case, revolving around CloudFormation specifically.
For pre-configured Tomcat and WAR file, and even application, you can create a custom AMI.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html
For each deployment, you can use a CloudFormation template to automate provisioning of this AMI.
For SSL, with some CloudFormation templating, you can include an AWS ALB that listens on HTTPS and targets the new server on each deployment. Also, you can provision the new certificate and attach it to the LB.
Here's the useful links:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-listener-certificates.html
I have a Servlets/JSP based traditional Java MVC web application on Tomcat server, I want to implement PKI certificate based authentication. In which user doesn't have to provide the login credentials. Here is the basic requirements:
Admin issues the PKI certificate to the client,
Admin sends the PKI certificate to the client and adds it to the PKI Cert Store,
Client adds the certificate to the browser, and
Whenever client clicks on Login button on the application, the application fetches the browser certificate and authenticate the client from the PKI Cert Store.
Please suggest how to proceed with this kind of requirement.
First you set up SSL/TLS at the Tomcat server level.
Then you use a security framework at the webapp level to enforce the SSL client certificate (X.509) authentication requirement on specific URL paths (or patterns of) such as the login URL. One such commonly used library which allows flexible configuration of client certificate authentication is Spring Security, with which you can use either a XML configuration file or Java annotations in your webapp to get what you want. On the documentation link about X.509 authentication, you also have the necessary SSL setup instructions for Tomcat.
You may find another way to do client certificate authentication natively in Tomcat using some configuration in the webapp deployment descriptor (web.xml) and in Tomcat realm configuration (e.g. tomcat-users.xml), but it is quite tedious and far less flexible.
I want to host REST APIs over https. REST web services will be written in java probably using spring framework.
These web services will be accessed by java clients (not web browsers), probably using org.apache.http lib.
I am not getting clear picture of working with SSL certificates.
My questions are -
What configurations will be required to host REST web services over "https"?
What configurations will be required at client side for accessing these "https" URIs?
Do I need to buy trusted SSL certificate for REST server or open java keygen will do?
Do I need the same/different certificate copy on REST client too?
No particular configuration, you just need https activated.
No particular configuration, you just need to take care to use libs that check the certificate.
If you write the client, you can use a self signed one, and customize the client to check if it's your certificate. If anybody can write a client, it's better to have a publicly trusted certificate. WARNING : the free let's encrypt certificate are NOT trusted by java !
Why do you want a certificate on your client ?
Side note: if your API is publicly accessible, I strongly advise you do NOT redirect http to HTTPS but instead makes HTTP systematically answer an error. If you don't do so, a developer that use by mistake the http will NOT see the error and that will create security risks.
We've built a Java EE app in JBoss that exposes web services to external consumers. We want to secure these services so that we know who is making the web service invocations. We have a registration process that requires the consumers to upload their public key so that we can add it to our truststore. However it is currently a manual process of using the keytool from the command line to add them to the truststore.
This whole setup seems rather primitive. I don't like the idea of a truststore on the filesystem that is not part of the database. There must be an approach that lets you utilize the database to store the certs. Should I put the certs in a blob column, and roll my own custom TrustManager that pulls the public key out of the db and verifies the signature? Or is there some other generally implemented open-source solution to this problem?
Why don't you just store the PEM file in database? It can be a BLOB or a text column.
Google's web app registration is a good example,
http://code.google.com/apis/accounts/docs/RegistrationForWebAppsAuto.html#register
Look at step 4: Upload a security certificate.