I'm developing a simple web services using Java EE Servlets.
My clients are a simple java apps (no browsers), so I need to secure my communication using TLS (or SSL v3). About Application server, I'm using Glassfish v3.
For example, I need to transfer some data from client to server within a HTTP Post Request into a secure connection.
There are some external libraries, server configurations or tutorial that can I use?
On the server side you must somehow expose your servlets via HTTPS. If you are using tomcat, check out SSL Configuration HOW-TO. If you have an Apache web server in front, see: Apache SSL/TLS Encryption.
On the client side ssl and https support is built into JDK, just call any https://... address using URLConnection. However remember that the certificate your server uses must be trusted - either confirmed by some authority or added manually on the client. Self-signed certificates by default won't be accepted.
Related
So basically, I have made a RESTful API using ServiceTalk from Apple (Netty implementation) and Jersey and it works. Only through http though. I have seen that when I was making my React web page make a POST request through http, it would complain about CORS (which I'm still trying to fix) and that the browser (At least Brave) would not allow the request to be made because it was http and my web page was running on https using let's encrypt cert. How do I fix this issue? Do I need to add SSL with Netty? If so, how can I do that with a certificate that's going to be changing every once in a while?
I also have NGINX setup with Let's Encrypt and enabled auto-renew certificate setting from the setup wizard for NGINX + Let's Encrypt. If I can somehow make NGINX run the HTTPS request as a proxy to the netty server on http, then I think it would also be a better solution. I know this is a common practice with NodeJS Express + NGINX.
You are right, if you already have NGINX that serves your static content (html/css/js) it will be better to configure it as a proxy for a ServiceTalk backend service. That will let you keep SSL/TLS configuration in one place (NGINX config file only) and you will be able to use its auto-renew certificate feature. For an example of how you can configure NGINX as an SSL/TLS proxy for a backend service, see here: https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
However, in this case, your connection between NGINX and ServiceTalk will not be encrypted. In some environments, it might be inappropriate according to security policies and requirements. If this is your case, you also need to configure SSL/TLS for ServiceTalk using HttpServerBuilder.secure() method that returns HttpServerSecurityConfigurator. Here is an example of a secure ServiceTalk server.
To avoid CORS, keep using NGINX as a proxy even when ServiceTalk also configured with SSL/TLS connections. If there is a requirement to avoid additional proxy on the way between a browser and backend service, target ServiceTalk directly. But NGINX gives additional features, like load balancing between multiple backend instances.
To get the best SSL performance in ServiceTalk/Netty we recommend to use OpenSSL provided instead of a built-in JDK provider. For more information, see Performance / netty-tcnative OpenSSL engine documentation section.
Note: ServiceTalk does not auto-renew SSL/TLS certificates. You will need to restart the server when certificate expires.
I actually have a hosting service who has a subdomain, that subdomain function is to redirect to my local server where I have my services, for example:
My domain: example.com
Subdomain: guaymas.example.com // His function is to redirect to my server (firewall)
Redirect to a port : guaymas.example.com:8080 // where I have my services
And through a port I have a web service, in order to make the data transfer more secure I wanted to implement a SSL certificate but because of my configuration I’ḿ not able to generate the certificate with letś encrypt (because buying one is not an option), I can’t verify with http or dns method, Is there any other method that I can use to generate the SSL certificate?
PD: I'm using GlassFish and Soap web services on JAVA, those are running on Linux Server and my distro is deepin
Thanks a lot
I have the following scenario:
Web application (currently running in Eclipse)
Apache httpd proxy
5 backend servers (tomcat) all listening on HTTPS
I have valid certificates for all backend servers and also have the cert chain imported in the keystore. Can anyone explain to me or give me a sample config for the proxy? I am getting different errors when trying to establish trust between the proxy and backend servers like (downstream server wanted client certificate but none are configured).
I would like to run a servlet in Jetty on an HTTPS site that requires a client certificate for only part of the site (specific URLs). For example:
https://example.com/someservlet/public - no client cert required
https://example.com/someservlet/protected - client cert required
In Apache I can accomplish this by specifying SSLVerifyClient require inside a <Directory> or <Location> which forces Apache to renegotiate the SSL connection after the request is made.
I do not want to run Jetty embedded in anything else, just standalone. Is this possible? Can a Servlet cause this directly somehow? Can it be done via configuration?
As far as I know you can only specify the SSL options on a per-port basis.
Even if you could the configuration you are trying to achieve is problematic, as it needs the SSLRenegotiation which has been changed about a year ago because of a security vulnerability. The new method for performing an SSLRenogitiation is therefore only supported by newer clients and sometimes even if it is supported it does not work because of bugs.
My recommendation for an easy workaround: Configure Jetty to listen on two SSL ports:
For example on 443 without HTTPS Client auth and on 8443 with HTTPS client auth required. Then make your protected servlet only available on 8443. This is not a nice solution but 100% robust, works with Jetty and with all clients.
I'm using Apache Axis 1.5.1 to code a web service client connecting to a service over SSL. My application is running in Tomcat with SSL configuration setup in JKS. However, when I connect to the server, the connection is failing because the cert from our client is not being sent to the server. Is this something that has to be set in the client through code? Also note that the server does not need any user name or password authentication. With SSL turned off, everything works fine.
Thanks,
Two common approaches here:
http://ws.apache.org/xmlrpc/ssl.html
WebLogic has its own stuff:
http://download.oracle.com/docs/cd/E12840_01/wls/docs103/security/SSL_client.html#wp1029670
As long as you have the certificates configured correctly in your trust store accessible to Tomcat, there are no changes to Apache Axis HTTP code.