Chinese Version: 开发基于JBoss AS 7.2.0的Java EE程序 - 04.如何配置SSL or 开发基于JBoss AS 7.2.0的Java EE程序 - 04.如何配置SSL
1. SSL configuration in standalone.xml
Please pay special attention to blue lines.
(a) Part.1
<?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:1.4">
...
<management>
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="ybxiang_keystore_password"/>
</ssl>
</server-identities>
<authentication>
<jaas name="ybxiang-forum-jaas-security-domain"/>
</authentication>
</security-realm>
</security-realms>
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket-binding native="management-native"/>
</native-interface>
<http-interface security-realm="ManagementRealm">
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
</management>
This is the ssl configuration for EJB.
(b) Part.2
<profile>
...
<subsystem xmlns="urn:jboss:domain:web:1.4" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl password="ybxiang_keystore_password" certificate-key-file="../standalone/configuration/server.keystore" protocol="TLSv1" verify-client="false" certificate-file="../standalone/configuration/server.keystore"/>
</connector>
<connector name="management-https" protocol="HTTP/1.1" scheme="https" socket-binding="management-https" secure="true">
<ssl password="ybxiang_keystore_password" certificate-key-file="../standalone/configuration/server.keystore" protocol="TLSv1" verify-client="false" certificate-file="../standalone/configuration/server.keystore"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="false">
<alias name="localhost"/>
<alias name="javaarm.com"/>
</virtual-server>
</subsystem>
...
</profile>
This is the ssl configuration for HTTP (web application).
(c) Part.3
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>
<socket-binding name="ajp" port="8009"/>
<socket-binding name="http" port="80"/>
<socket-binding name="https" port="443"/>
<socket-binding name="jacorb" interface="unsecure" port="3528"/>
<socket-binding name="jacorb-ssl" interface="unsecure" port="3529"/>
<socket-binding name="messaging" port="5445"/>
...
</server>
Let's modify the http port and https port to standard 80 and 443.
2. Generate server.keystore
Now, let's generate all kinds of keys needed here with JDK keytool:
rem # 1. generate server.keystore
keytool -genkey -alias server -keyalg RSA -keystore server.keystore -storepass ybxiang_keystore_password -keypass ybxiang_keystore_password -dname "CN=112.65.245.231, OU=javaarm.com, O=JAVAARM-XIANG, L=Shanghai, ST=Shanghai, C=CN" -validity 3650
rem # 2. export server.cer from server.keystore
keytool -export -alias server -keystore server.keystore -storepass ybxiang_keystore_password -file server.cer
rem # 3. generate client.truststore
keytool -import -v -keystore client.truststore -storepass ybxiang_truststore_password -file server.cer
Where:
CN: What is your first and last name?
OU: What is the name of your organizational unit?
O: What is the name of your organization?
L: What is the name of your City or Locality?
ST: What is the name of your State or Province?
C: What is the two-letter country code for this unit?
We will get bellow files
- server.keystore
- server.cer
- client.truststore
Please cut/copy server.keystore to D:\java\jboss-as-7.2.0.Final\standalone\configuration
Please copy client.truststore to your EJB client app. We will describe "EJB over SSL" in later articles.
3. ybxiang-forum-war's web.xml
I do NOT explain bellow codes, I think you understand them.
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
...
<!-- 1. Public Resources -->
...
<!-- 2. CONFIDENTIAL resources -->
<security-constraint>
<web-resource-collection>
<web-resource-name>CONFIDENTIAL resources - logged in user</web-resource-name>
<description>CONFIDENTIAL resources - logged in user</description>
<url-pattern>/faces/login-https.xhtml</url-pattern>
<url-pattern>/faces/console/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>CONFIDENTIAL resources - guest</web-resource-name>
<description>CONFIDENTIAL resources - guest</description>
<url-pattern>/faces/register.xhtml</url-pattern>
<url-pattern>/faces/login-form.xhtml</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>*</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/faces/login-form.xhtml</form-login-page>
<form-error-page>/faces/login-fail.xhtml</form-error-page>
</form-login-config>
</login-config>
</web-app>
Now, Please redeploy your EAR and visit http://127.0.0.1/faces/register.xhtml, you will be redirected to https://127.0.0.1/faces/register.xhtml by JBoss AS 7 automatically.
Comments