0

Using WildFly 8.1.0.Final I have issues connecting to a https resource (JAX-RS).

I have the following web.xml:

<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
    <session-config>
        <session-timeout>30</session-timeout>
    </session-config>
    <security-constraint>
        <display-name>Constraint1</display-name>
        <web-resource-collection>
            <web-resource-name>someresource</web-resource-name>
            <description/>
            <url-pattern>/webresources/somepath/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>somerole</role-name>
        </auth-constraint>
        <user-data-constraint>
            <description/>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>ApplicationRealm</realm-name>
        <!--<realm-name>file</realm-name>-->
    </login-config>
    <security-role>
        <description>somerole</description>
        <role-name>somerole</role-name>
    </security-role>
</web-app>

This works fine with GlassFish 4.1, though I have a custom glassfish-web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
  <context-root>/some-module-1.0-SNAPSHOT</context-root>
  <security-role-mapping>
    <role-name>somerole</role-name>
    <principal-name>someuser</principal-name>
    <group-name>somegroup</group-name>
  </security-role-mapping>
  <class-loader delegate="true"/>
  <jsp-config>
    <property name="keepgenerated" value="true">
      <description>Keep a copy of the generated servlet class' java code.</description>
    </property>
  </jsp-config>
</glassfish-web-app>

It also works fine if I omit the user-data-constraint section.

But with this section enabled then in the browser http://localhost:8080 gets redirected to https://localhost:8443 and I'm getting the following error (German):

Fehler: Verbindung fehlgeschlagen

When I try to connect with a Wink Client to the https URL, I'm getting the following error:

    Exception in thread "main" org.apache.wink.client.ClientRuntimeException: java.lang.RuntimeException: java.net.ConnectException: Connection refused: connect
    at org.apache.wink.client.internal.ResourceImpl.invoke(ResourceImpl.java:241)
    at org.apache.wink.client.internal.ResourceImpl.invoke(ResourceImpl.java:189)
    at org.apache.wink.client.internal.ResourceImpl.invokeNoException(ResourceImpl.java:181)
    at org.apache.wink.client.internal.ResourceImpl.get(ResourceImpl.java:311)
    at somepackage.rest.client.wink.SomeWinkClient.getFoo(SomeWinkClient.java:61)
    at somepackage.rest.Main.main(Main.java:30)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at com.intellij.rt.execution.application.AppMain.main(AppMain.java:140)
Caused by: java.lang.RuntimeException: java.net.ConnectException: Connection refused: connect
    at org.apache.wink.client.internal.handlers.HttpURLConnectionHandler.handle(HttpURLConnectionHandler.java:57)
    at org.apache.wink.client.internal.handlers.HandlerContextImpl.doChain(HandlerContextImpl.java:52)
    at org.apache.wink.client.internal.handlers.AcceptHeaderHandler.handle(AcceptHeaderHandler.java:79)
    at org.apache.wink.client.internal.handlers.HandlerContextImpl.doChain(HandlerContextImpl.java:52)
    at org.apache.wink.client.handlers.BasicAuthSecurityHandler.handle(BasicAuthSecurityHandler.java:71)
    at org.apache.wink.client.internal.handlers.HandlerContextImpl.doChain(HandlerContextImpl.java:52)
    at org.apache.wink.client.internal.ResourceImpl.invoke(ResourceImpl.java:228)
    ... 10 more
Caused by: java.net.ConnectException: Connection refused: connect
    at java.net.DualStackPlainSocketImpl.waitForConnect(Native Method)
    at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:85)
    at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339)
    at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200)
    at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182)
    at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
    at java.net.Socket.connect(Socket.java:579)
    at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:618)
    at sun.net.NetworkClient.doConnect(NetworkClient.java:175)
    at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
    at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
    at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:275)
    at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:371)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
    at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:932)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
    at org.apache.wink.client.internal.handlers.HttpURLConnectionHandler.processRequest(HttpURLConnectionHandler.java:97)
    at org.apache.wink.client.internal.handlers.HttpURLConnectionHandler.handle(HttpURLConnectionHandler.java:54)
    ... 16 more

Update

I added the https-listener configuration as suggested by @hwellmann:

<subsystem xmlns="urn:jboss:domain:undertow:1.1">
            <buffer-cache name="default"/>
            <server name="default-server">
                <http-listener name="default" socket-binding="http"/>
                <https-listener name="default-ssl" socket-binding="https" security-realm="SSLRealm"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <filter-ref name="server-header"/>
                    <filter-ref name="x-powered-by-header"/>
                </host>
            </server>
            <servlet-container name="default">
                <jsp-config/>
            </servlet-container>
            <handlers>
                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
            </handlers>
            <filters>
                <response-header name="server-header" header-name="Server" header-value="WildFly/8"/>
                <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
            </filters>
        </subsystem>

and

         <security-realm name="SSLRealm">
            <server-identities>
                <ssl>
                    <keystore path="keystore.jks" relative-to="jboss.server.config.dir" keystore-password="somepwd" alias="wildfly-local" key-password="somepwd"/>
                </ssl>
            </server-identities>
        </security-realm>

I've created a keystore at standalone\configuration using:

keytool -genkey -alias wildfly-local -keyalg RSA -keypass somepwd -storepass somepwd -keystore keystore.jks -validity 9999

But I'm still getting the same errors.

Puce
  • 37,247
  • 13
  • 80
  • 152
  • What happens if you just try going to https://localhost:8443/ in your browser? Have you checked server.log for any errors during wildly start up? – Will Tatam Oct 07 '15 at 16:09

1 Answers1

2

Do you have an https-listener in the undertow subsystem of your standalone.xml? This is not configured by default.

What you need is

    <subsystem xmlns="urn:jboss:domain:undertow:2.0">
        <!-- ... -->
        <server name="default-server">
            <http-listener name="default" socket-binding="http" redirect-socket="https-ext"/>
            <https-listener name="default-ssl" socket-binding="https" security-realm="MySslRealm"/>
        </server>
        <!-- ... -->
    </subsystem>

and you need to configure the security realm with a keystore, see this blog for more details.

Harald Wellmann
  • 12,615
  • 4
  • 41
  • 63
  • What I have is ``. But this is a default configuration. I didn't change standalone.xml. In which section should I configure what exactly? – Puce Oct 07 '15 at 07:57
  • 1
    Added `https-listener` to answer. – Harald Wellmann Oct 07 '15 at 08:03
  • Is security-realm in my simple case "ApplicationRealm"? – Puce Oct 07 '15 at 08:03
  • The subsystem xmlns here is "urn:jboss:domain:undertow:1.1", but this should be fine, I guess. – Puce Oct 07 '15 at 08:04
  • Does WildFly have a default self-signed certificate like GlassFish? – Puce Oct 07 '15 at 08:29
  • You need a keystore. Also check the logs to see if the https-connector is running, or run `netstat -tulpn`. – Harald Wellmann Oct 07 '15 at 08:30
  • ...and you have to create your own certificate. See the blog linked from my answer. – Harald Wellmann Oct 07 '15 at 08:59
  • I had NetBeans configured to use standalone-full.xml, so I had to configure that file and then it worked. – Puce Oct 07 '15 at 10:37
  • Thanks for your answer and links. It's hard to find the right documentation. And it's a pity https doesn't work more or less out-of-the-box like in GlassFish. – Puce Oct 07 '15 at 10:39
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/91615/discussion-between-hwellmann-and-puce). – Harald Wellmann Oct 07 '15 at 14:08
  • Unfortunately, I can't access the chat from within my company, but as I said, the issue is solved once I edited standalone-full.xml. Thanks for your help! – Puce Oct 08 '15 at 07:49