Securing WebSocket using wss and HTTPS/TLS (Tech Tip #50)

50th tip on this blog, yaay!

Tech Tip #49 explained how to secure WebSockets using username/password and Servlet Security mechanisms. This Tech Tip will explain how to secure WebSockets using HTTPS/TLS on WildFly.

Lets get started!

  1. Create a new keystore:

    Used “websocket” as the convenience password.
  2. Download WildFly 8.1, unzip, and copy “websocket.keystore” file in standalone/configuration directory.
  3. Start WildFly as
  4. Connect to it using jboss-cli as:
  5. Add a new security realm as:

    And configure it:
  6. Add a new HTTPS listener as:
  7. A simple sample to show TLS-based security for WebSocket is available at github.com/javaee-samples/javaee7-samples/tree/master/websocket/endpoint-wss. Clone the workspace and change directory to “websocket/endpoint-wss”. The sample’s deployment descriptor has:

    This ensures that any request coming to this application will be auto-directed to an HTTPS URL.
  8. Deploy the sample by giving the command:

Now accessing http://localhost:8080/endpoint-wss redirects to https://localhost:8080/endpoint-wss. The browsers may complain about self-signed certificate. For example, Chrome shows the following warning:

techtip50-certificate-chrome

And Safari shows the following warning:

techtip50-certificate

In either case, click on “Proceed to localhost” or “Continue” to proceed further. And then a secure WebSocket connection is established.

Another relevant point to understand is that a non-secure WebSocket connection cannot be made from an https-protected page. For example the following code in our sample:

will throw the following exception in Chrome Developer Tools:

Enjoy!

Be Sociable, Share!

6 thoughts on “Securing WebSocket using wss and HTTPS/TLS (Tech Tip #50)

  1. I replied to another post on your blog and hope you don’t feel I am hounding you. I am a coach with a First Lego League team. This is a competition using Lego Mindstorm robots. As part of the competition we present an idea about a solution to a real life problem. To finalize our presentation we need feedback from a mod developer but I am having difficulty reaching anyone. We simply need to know if there already exists any mods using command keys to move the character and/or a mod that makes different sounds when the characters turns right or left. If there is not such a mod, how much time/cost would it take for a proficient mod developer to make such a mod? We would really appreciate any input you can offer. When I mentioned to the boys on our team that I had messaged you, they were very excited because many of them have watched your videos on YouTube. If you are not able to help us, can you point us in the right direction? Thank you.

  2. Hello Arun!

    One more thing about the question I have made at other tip: I just follow this page and at my local Wildfly works great! When I upload this version to Openshift, I have an connection followed with disconnection, and I receive the code 1011…

    And this is the only difference: I do not have create Realms on my remote Wildfly at Openshift…

    Best Regards!

    Bruno

  3. Hello Arun!

    As I said at other post, the cause of the 1011 error code was the web.xml. At step 7 I ajust my application to use the url-pattern from /* to /jsf-pages/* and my Websocket come to work again!!

    Thank you and keep posting!!

    Cheers!

    Bruno

  4. Hello Arun, I am trying to follow these steps in EAP 6.4, but this server doesn’t have the Undertow subsystem. So I configured it with a HTTPS conector and basic authentication (using the default Application Realm), but I don’t know if I am missing something by leaving the WebSocketRealm config aside. What would be the required steps for configuring EAP in a similar way as you did with Widfly?

Leave a Reply

Your email address will not be published. Required fields are marked *