50th tip on this blog, yaay!
Tech Tip #49 explained how to secure WebSockets using username/password and Servlet Security mechanisms. This Tech Tip will explain how to secure WebSockets using HTTPS/TLS on WildFly.
Lets get started!
- Create a new keystore:
Used “websocket” as the convenience password.1234567891011121314151617181920212223<strong>keytool -genkey -alias websocket -keyalg RSA -keystore websocket.keystore -validity 10950</strong>Enter keystore password:Re-enter new password:What is your first and last name?[Unknown]: Arun GuptaWhat is the name of your organizational unit?[Unknown]: JBoss MiddlewareWhat is the name of your organization?[Unknown]: Red HatWhat is the name of your City or Locality?[Unknown]: San JoseWhat is the name of your State or Province?[Unknown]: CAWhat is the two-letter country code for this unit?[Unknown]: USIs CN=Arun Gupta, OU=JBoss Middleware, O=Red Hat, L=San Jose, ST=CA, C=US correct?[no]: yesEnter key password for <websocket>(RETURN if same as keystore password):Re-enter new password: - Download WildFly 8.1, unzip, and copy “websocket.keystore” file in
standalone/configurationdirectory. - Start WildFly as
123./bin/standalone.sh - Connect to it using jboss-cli as:
123./bin/jboss-cli.sh -c - Add a new security realm as:
And configure it:1234[standalone@localhost:9990 /] /core-service=management/security-realm=WebSocketRealm:add(){"outcome" => "success"}
12345678910[standalone@localhost:9990 /] /core-service=management/security-realm=WebSocketRealm/server-identity=ssl:add(keystore-path=websocket.keystore, keystore-relative-to=jboss.server.config.dir, keystore-password=websocket){"outcome" => "success","response-headers" => {"operation-requires-reload" => true,"process-state" => "reload-required"}} - Add a new HTTPS listener as:
1234567[standalone@localhost:9990 /] /subsystem=undertow/server=default-server/https-listener=https:add(socket-binding=https, security-realm=WebSocketRealm){"outcome" => "success",<span style="font-size: 13px;"> "response-headers" => {"process-state" => "reload-required"}}</span> - A simple sample to show TLS-based security for WebSocket is available at github.com/javaee-samples/javaee7-samples/tree/master/websocket/endpoint-wss. Clone the workspace and change directory to “websocket/endpoint-wss”. The sample’s deployment descriptor has:
This ensures that any request coming to this application will be auto-directed to an HTTPS URL.1234567891011<security-constraint><web-resource-collection><web-resource-name>Secure WebSocket</web-resource-name><url-pattern>/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint> - Deploy the sample by giving the command:
123mvn wildfly:deploy
Now accessing http://localhost:8080/endpoint-wss redirects to https://localhost:8080/endpoint-wss. The browsers may complain about self-signed certificate. For example, Chrome shows the following warning:
And Safari shows the following warning:
In either case, click on “Proceed to localhost” or “Continue” to proceed further. And then a secure WebSocket connection is established.
Another relevant point to understand is that a non-secure WebSocket connection cannot be made from an https-protected page. For example the following code in our sample:
|
1
2
3
|
new WebSocket("ws://localhost:8080/endpoint-wss/websocket");
|
will throw the following exception in Chrome Developer Tools:
|
1
2
3
4
|
[blocked] The page at 'https://localhost:8443/endpoint-wss/index.jsp' was loaded over HTTPS, but ran insecure content from 'ws://localhost:8080/endpoint-wss/websocket': this content should also be loaded over HTTPS.
Uncaught SecurityError: Failed to construct 'WebSocket': An insecure WebSocket connection may not be initiated from a page loaded over HTTPS.
|
Enjoy!
I replied to another post on your blog and hope you don’t feel I am hounding you. I am a coach with a First Lego League team. This is a competition using Lego Mindstorm robots. As part of the competition we present an idea about a solution to a real life problem. To finalize our presentation we need feedback from a mod developer but I am having difficulty reaching anyone. We simply need to know if there already exists any mods using command keys to move the character and/or a mod that makes different sounds when the characters turns right or left. If there is not such a mod, how much time/cost would it take for a proficient mod developer to make such a mod? We would really appreciate any input you can offer. When I mentioned to the boys on our team that I had messaged you, they were very excited because many of them have watched your videos on YouTube. If you are not able to help us, can you point us in the right direction? Thank you.
Lets talk offline.
Hello Arun!
One more thing about the question I have made at other tip: I just follow this page and at my local Wildfly works great! When I upload this version to Openshift, I have an connection followed with disconnection, and I receive the code 1011…
And this is the only difference: I do not have create Realms on my remote Wildfly at Openshift…
Best Regards!
Bruno
Hello Arun!
As I said at other post, the cause of the 1011 error code was the web.xml. At step 7 I ajust my application to use the url-pattern from /* to /jsf-pages/* and my Websocket come to work again!!
Thank you and keep posting!!
Cheers!
Bruno
Hello Arun, I am trying to follow these steps in EAP 6.4, but this server doesn’t have the Undertow subsystem. So I configured it with a HTTPS conector and basic authentication (using the default Application Realm), but I don’t know if I am missing something by leaving the WebSocketRealm config aside. What would be the required steps for configuring EAP in a similar way as you did with Widfly?
Please post your question on WildFly forum: https://developer.jboss.org/en/wildfly