Glassfish JAX-WS side by side SSL / insecure EJB webservice

Question

Is it possible to run a single @WebService bean as both secure and insecure at the same time, preferably using the same URL except for the http/https protocol difference?

I am able to run the service either secure or insecure using:

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

or

<transport-guarantee>NONE</transport-guarantee>

inside sun-ejb-jar.xml

IE.

<ejb>
  <ejb-name>MyEJB</ejb-name>
  <webservice-endpoint>
    <port-component-name>MyWebService</port-component-name>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </webservice-endpoint>
</ejb>

Suggestions?

I am not clear on the details... so I won't submit this as an answer... You may want to dig into the topic of Grizzly port unification. It seems like that will allow you to do what you want. — vkraemer, May 27 '10 at 17:31
What happens with NONE and a http SSL enabled listener? NONE doesn't preclude SSL from also working. The other option if you can install apache, httpd w/mod_ssl + mod_jk/ajp would probably work. — Chase, Jul 14 '12 at 04:02
@Chase unfortunately with NONE it will only route from the unsecure listener. mod_ssl is definitely the way to go in any production scenario. — Justin, Jul 15 '12 at 06:36

score 2 · Answer 1 · answered Jan 23 '13 at 19:43

2

Why you just not proxy app server with Apache HTTP server or similar? I usually do this way and leave SSL handshaking/open text connection to HTTP in front of it.

answered Jan 23 '13 at 19:43

Bart Prokop

422
4
7

score 1 · Answer 2 · answered Jan 24 '13 at 11:13

just remove the <transport-guarantee>CONFIDENTIAL</transport-guarantee>, your beans will be available on http and https also. <transport-guarantee>CONFIDENTIAL</transport-guarantee> means strict security, any http request coming is redirected to https(ssl).

removing this <transport-guarantee>CONFIDENTIAL</transport-guarantee> you will get great flexibility.

score 1 · Answer 3 · answered Oct 10 '13 at 13:00

I'm aware that this is a pretty old question. However, I feel like providing this answer since I recently ran into the exact same issue.

According to Oracle documentation:

Specify CONFIDENTIAL when the application requires that data be transmitted so as to prevent other entities from observing the contents of the transmission.

Specify NONE to indicate that the container must accept the constrained requests on any connection, including an unprotected one.

Since this is merely a transport-guarantee, a NONE value should provide you the feature you want, namely an EJB Web Service responding both to http and https requests.

The problem here is a bug in Glassfish that apparently restricts you to either accept http OR https requests to your EJB Web Service:

Bug in Glassfish 2.x: https://java.net/jira/browse/GLASSFISH-5621
Bug in Glassfish 3.x: https://java.net/jira/browse/GLASSFISH-19293

According to the last jira task the issue should be fixed and working from Glassfish 4.0_b75.

Glassfish JAX-WS side by side SSL / insecure EJB webservice

3 Answers3