Jersey https tomcat

classic Classic list List threaded Threaded
23 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Jersey https tomcat

steben
Hi
I try to  secure  REST Jersey with ssl using tomcat as a server application, I made all changes into the files configuration , but I have always a problem, I can't access to the ressources of the web service in browser, while when I try just with http it works well
Here my web.xml file

<servlet>
                <servlet-name>Jersey REST Service</servlet-name>
                <servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
                <init-param>
                        <param-name>com.sun.jersey.config.property.resourceConfigClass</param-name>
                        <param-value>com.sun.jersey.api.core.PackagesResourceConfig</param-value>
                </init-param>
        <init-param>
                        <param-name>com.sun.jersey.config.property.packages</param-name>
                        <param-value>com.webservive.myservices</param-value>
                </init-param>
</servlet>
        <security-constraint>
                <display-name>Security for Your Enterprise</display-name>
                <web-resource-collection>
                        <web-resource-name>Your Enterprise web Security</web-resource-name>
                        <description>Redirect all to SSL</description>
                        <url-pattern>/*</url-pattern>
                        <http-method>GET</http-method>
                        <http-method>POST</http-method>
                        <http-method>HEAD</http-method>
                        <http-method>PUT</http-method>
                        <http-method>OPTIONS</http-method>
                        <http-method>TRACE</http-method>
                        <http-method>DELETE</http-method>
                </web-resource-collection>
                <auth-constraint>
                        <description />
                        <role-name>role1</role-name>
                       
                </auth-constraint>
                <user-data-constraint>
                        <description>Protection should be CONFIDENTIAL</description>
                        <transport-guarantee>INTEGRAL</transport-guarantee>
                </user-data-constraint>

        </security-constraint>
       
          <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>
       
        <security-role>
                <role-name>role1</role-name>
        </security-role>
</web-app>

also the server.xml of tomcat


<Connector
 clientAuth="true"
 minSpareThreads="5" maxSpareThreads="75"
 enableLookups="true" disableUploadTimeout="true"
 acceptCount="100"  maxThreads="200"
 port="8443"
 scheme="https"
 secure="true"
 SSLEnabled="true"
 keystoreFile="security\serverkey.keystore"
 keystorePass="password"
protocol="HTTP/1.1"
 sslProtocol="TLS"
 />

thanks in advance
Reply | Threaded
Open this post in threaded view
|

Re: Jersey https tomcat

Pavel Bucek-2
Hello,

have you tried changing transport-guarantee to CONFIDENTIAL?

Pavel


On 4/12/11 9:32 PM, steben wrote:
Hi I'm working into securing REST Jersey with ssl using tomcat as a server application, I made all changes into the files configuration , but I have always a problem, I can't access to the ressources of the web service in browser, while when I try just with http it works well Here my web.xml file Jersey REST Service com.sun.jersey.spi.container.servlet.ServletContainer com.sun.jersey.config.property.resourceConfigClass com.sun.jersey.api.core.PackagesResourceConfig com.sun.jersey.config.property.packages com.webservive.myservices Security for Your Enterprise Your Enterprise web Security Redirect all to SSL /* GET POST HEAD PUT OPTIONS TRACE DELETE role1 Protection should be CONFIDENTIAL INTEGRAL BASIC role1 also the server.xml of tomcat thanks in advance

View this message in context: Jersey https tomcat
Sent from the Jersey mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|

Re: Jersey https tomcat

steben
Yes, I changed to confidential, but also it doesn't show anything
Reply | Threaded
Open this post in threaded view
|

Re: Jersey https tomcat

Pavel Bucek-2
ok..

can you please try this [1] sample? it should work on any container if
you set up new security realm similarly to what is described in README.html.

 From what I can see, <login-config> elem lacks <realm-name>, but I'm
not sure how required that is.. anyway, check out mentioned sample, it
does basically what you need, just with different container.

Hope it helps.
Pavel

[1]
http://download.java.net/maven/2/com/sun/jersey/samples/https-server-glassfish/1.6/https-server-glassfish-1.6-gf-project.zip


On 4/13/11 9:51 AM, steben wrote:
> Yes, I changed to confidential, but also it doesn't show anything
>
> --
> View this message in context: http://jersey.576304.n2.nabble.com/Jersey-https-tomcat-tp6266431p6268040.html
> Sent from the Jersey mailing list archive at Nabble.com.
>

Reply | Threaded
Open this post in threaded view
|

Re: Jersey https tomcat

steben
Hi
thanks so much for your help,I tried the example and it works well, but I have a question is it the best way for securing web service?, because , I don't see that it use a protocol ssl wich is a recommended for a web sites
Reply | Threaded
Open this post in threaded view
|

Re: Jersey https tomcat

Pavel Bucek-2
it uses https (ssl over http) - deployed app should be accessible on
https://localhost:8181/httpsBasicAuth-webapp/helloworld.

https is the best option for you, but depends on what exactly do you
need - it encrypts all your messages and can take care of authentication
too (when client certificates are used) but you might not need that
level of security. Recommended usecase is basic (or digest) auth over
https, should be sufficient for most cases.

Pavel

On 4/13/11 11:02 AM, steben wrote:
> Hi
> thanks so much for your help,I tried the example and it works well, but I
> have a question is it the best way for securing web service?, because , I
> don't see that it use a protocol ssl wich is a recommended for a web sites
>
> --
> View this message in context: http://jersey.576304.n2.nabble.com/Jersey-https-tomcat-tp6266431p6268229.html
> Sent from the Jersey mailing list archive at Nabble.com.
>

Reply | Threaded
Open this post in threaded view
|

Re: Jersey https tomcat

steben
so if I understand, what I need now is to create  2 certificats for server and client for authentication, to get a high level of security, because I need to have a high level of security, one more question once the certificats are created where should I declare this certificats,
Reply | Threaded
Open this post in threaded view
|

Re: Jersey https tomcat

Pavel Bucek-2
I don't know how to set this on Tomcat - maybe you can ask on their
mailing list.

If you'd use glassfish, its very similar to that sample, but instead of
file realm, you'd have to use certificate realm and update other
settings accordingly. Just remember you need to set "require client
certificate" (or something like this) because it is not commonly turned
on by default.

Client certificate need to be stored in client keystore and that should
be sufficient. You might need to implicitly set it as "use certificate
to authenticate"; see https-clientserver-grizzly sample for inspiration.

Certificates can be generated using java keytool or even other tools,
just google for it (or I can do it for you: Keytool documentation:
http://download.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html).
Nice article about security in java can be found here:
http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html.

Pavel

On 4/13/11 11:26 AM, steben wrote:
> so if I understand, what I need now is to create  2 certificats for server
> and client for authentication, to get a high level of security, because I
> need to have a high level of security, one more question once the
> certificats are created where should I declare this certificats,
>
> --
> View this message in context: http://jersey.576304.n2.nabble.com/Jersey-https-tomcat-tp6266431p6268284.html
> Sent from the Jersey mailing list archive at Nabble.com.
>

Reply | Threaded
Open this post in threaded view
|

Re: Jersey https tomcat

steben
thanks so much for help, I will try to add a certificate in glassfish container, and consume the web server on the client
Reply | Threaded
Open this post in threaded view
|

Re: Jersey https tomcat

steben
HI
I'm trying to configure the certificate realm into glassfish, so I create the certificate for server and client and I trusted the certificats by using the default certificate of glassfish, but I found problem, when I try to create a certificate realm it doesn't give option to add groups and users to this realm, what can I do to add users to the certificate,
Reply | Threaded
Open this post in threaded view
|

Re: Jersey https tomcat

Pavel Bucek-2
Hello,

please use [hidden email] for glassfish related questions,
this has nothing to do with jersey.

btw, this should help:
http://download.oracle.com/docs/cd/E18930_01/html/821-2435/ggkuk.html

imo, user can be added as certificates to GF truststore (import that
particular client certificate to trust store is equivalent to "add user"
operation).

Pavel

On 4/14/11 10:49 AM, steben wrote:

> HI
> I'm trying to configure the certificate realm into glassfish, so I create
> the certificate for server and client and I trusted the certificats by using
> the default certificate of glassfish, but I found problem, when I try to
> create a certificate realm it doesn't give option to add groups and users to
> this realm, what can I do to add users to the certificate,
>
> --
> View this message in context: http://jersey.576304.n2.nabble.com/Jersey-https-tomcat-tp6266431p6272021.html
> Sent from the Jersey mailing list archive at Nabble.com.
>

Reply | Threaded
Open this post in threaded view
|

Re: Jersey https tomcat

steben
I made the changes that you told me, so I added the user name in web.xml file and sun-web.xml
here the web.xml
  <security-constraint>
        <web-resource-collection>
            <web-resource-name>Protected resource</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
        </web-resource-collection>

       
        <auth-constraint>
           
            <role-name>10.0.2.2</role-name>
        </auth-constraint>
       

       
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
   
   
    <login-config>
        <auth-method>CLIENT-CERT</auth-method>
       
        <realm-name>certificate</realm-name>
    </login-config>
    <security-role>
        <role-name>10.0.2.2</role-name>
    </security-role>

and sun-web.xml
<security-role-mapping>
               
                <role-name>10.0.2.2</role-name>
                <group-name>Users</group-name>
        </security-role-mapping>

NB: I have android application as client
so I created a certificate client that has CN=10.0.2.2
Now I have Problem, when I try to run the web service it fails
Reply | Threaded
Open this post in threaded view
|

Re: Jersey https tomcat

Pavel Bucek-2
fails how? stacktrace or server.log or minimal testcase would be very
helpful.

On 4/14/11 11:49 AM, steben wrote:

> I made the changes that you told me, so I added the user name in web.xml file
> and sun-web.xml
> here the web.xml
>
>
>              Protected resource
>              /*
>              GET
>
>
>
>
>
>              10.0.2.2
>
>
>
>
>
>              CONFIDENTIAL
>
>
>
>
>
>          CLIENT-CERT
>
>          certificate
>
>
>          10.0.2.2
>
>
> and sun-web.xml
>
>
> 10.0.2.2
> Users
>
>
> NB: I have android application as client
> so I created a certificate client that has CN=10.0.2.2
> Now I have Problem, when I try to run the web service it fails
>
>
> --
> View this message in context: http://jersey.576304.n2.nabble.com/Jersey-https-tomcat-tp6266431p6272157.html
> Sent from the Jersey mailing list archive at Nabble.com.
>

Reply | Threaded
Open this post in threaded view
|

Re: Jersey https tomcat

steben
It gives me this error
(Code d'erreur : ssl_error_renegotiation_not_allowed)
Reply | Threaded
Open this post in threaded view
|

Re: Jersey https tomcat

Oleksiy Stashok-2
Pls. try with newer JDK  (1.6.0_23+)

WBR,
Alexey.

On 04/14/2011 11:57 AM, steben wrote:
> It gives me this error
> (Code d'erreur : ssl_error_renegotiation_not_allowed)
>
> --
> View this message in context: http://jersey.576304.n2.nabble.com/Jersey-https-tomcat-tp6266431p6272173.html
> Sent from the Jersey mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|

Re: Jersey https tomcat

steben
Hi,
I have again a question about REST Jersey with glassfish, I create a web service and when I deploye it in the first time it works, but when I add some changes to the same service and redployed it again it gives me the result of the first deployement, that means it does'nt take the changes into consideration, even if I restart the server glassfish, so now how can I resolve this problem, and there is way to refresh service permanently to load the changes occured in the database
thanks
Reply | Threaded
Open this post in threaded view
|

Re: Jersey https tomcat

Pavel Bucek-2
Which kind of changes? And how is database involved in them?

You might have some jdbc level caching enabled, but I don't know much
about this..

Can you please rephrase your question and show us what change are you
doing and how are you redeploying your application?

Thanks,
Pavel

On 4/20/11 11:34 AM, steben wrote:

> Hi,
> I have again a question about REST Jersey with glassfish, I create a web
> service and when I deploye it in the first time it works, but when I add
> some changes to the same service and redployed it again it gives me the
> result of the first deployement, that means it does'nt take the changes into
> consideration, even if I restart the server glassfish, so now how can I
> resolve this problem, and there is way to refresh service permanently to
> load the changes occured in the database
> thanks
>
> --
> View this message in context: http://jersey.576304.n2.nabble.com/Jersey-https-tomcat-tp6266431p6290095.html
> Sent from the Jersey mailing list archive at Nabble.com.
>

Reply | Threaded
Open this post in threaded view
|

Re: Jersey https tomcat

steben
Thanks for your reply

I use the ORM eclipseLink to connect with database, now I want for example when I add new row into table, the service on web service take this new row and load it, in order to be able to display it for client without redeploying the server glassfish
Reply | Threaded
Open this post in threaded view
|

Re: Jersey https tomcat

Pavel Bucek-2
That should work without any issues. Are you sure your new row is
present in the database? Can you access it from other application which
is using eclipseLink as well? There might be some caching involved, but
it doesn't sound to me as probable reason for your troubles..

Pavel

On 4/20/11 3:08 PM, steben wrote:

> Thanks for your reply
>
> I use the ORM eclipseLink to connect with database, now I want for example
> when I add new row into table, the service on web service take this new row
> and load it, in order to be able to display it for client without
> redeploying the server glassfish
>
> --
> View this message in context: http://jersey.576304.n2.nabble.com/Jersey-https-tomcat-tp6266431p6290644.html
> Sent from the Jersey mailing list archive at Nabble.com.
>

Reply | Threaded
Open this post in threaded view
|

Re: Jersey https tomcat

steben
Yes this is the problem that i have, even if i try to update some data in table, I have to redeploy the web service to get the new value, I don't know if there s way to refresh service permanently without redelpoy the server
12