Let webservice use SSL

Question

With WildFly 8.2.1, I am trying to make existing webservice (JAX-WS) use SSL, but I haven't seen any use of SSL in quickstarts and the information I was able to google is limited. So far I've added this to web.xml:

<security-constraint>
    <display-name>Foo security</display-name>
    <web-resource-collection>
        <web-resource-name>FooService</web-resource-name>
        <url-pattern>/foo/FooService</url-pattern>
        <http-method>POST</http-method>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

and this is in my standalone.xml:

<subsystem xmlns="urn:jboss:domain:webservices:1.2">
   <wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>
   <endpoint-config name="Standard-Endpoint-Config"/>
   <endpoint-config name="Recording-Endpoint-Config">
   <pre-handler-chain name="recording-handlers" protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM">
   <handler name="RecordingHandler" class="org.jboss.ws.common.invocation.RecordingServerHandler"/>
   </pre-handler-chain>
   </endpoint-config>
   <client-config name="Standard-Client-Config"/>
</subsystem>

but apparently that's not enough; when I look into standalone/data/wsdl/foo.ear/foo.war/FooService/Bar.wsdl I see:

<service name="FooService">
   <port binding="foowsb:FooBinding" name="FooBinding">
       <soap:address location="http://localhost:8080/foo/FooService"/>
   </port>
</service>

Note that in the EAR/WAR, the soap:address.location is filled just with a placeholder (I suppose that the value is ignored).

I've found some info about setting up security realm, and creating the self-signed certificate using keytool (which I did), but I completely miss how this should be linked together.

I've also tried to setup wsdl-uri-scheme=https, but this is supported only in later versions of CXF.

Crosslink to JBoss forums: https://developer.jboss.org/message/967556#967556 — Radim Vansa, Jan 17 '17 at 10:02

score 0 · Answer 1 · answered Jan 17 '17 at 14:27

Seems that the soap:address.location value is not ignored when it's being replaced, since changing that from REPLACE_WITH_ACTUAL_URL to https://REPLACE_WITH_ACTUAL_URL did the trick - now the service got exposed on https://localhost:8443.

There is a couple of more steps I had to do in standalone.xml: in undertow, add https-listener:

<https-listener name="secure" socket-binding="https" security-realm="SslRealm"/>

define the SslRealm:

<security-realm name="SslRealm">
   <server-identities>
      <ssl>
         <keystore path="foo.keystore" relative-to="jboss.server.config.dir" keystore-password="foo1234" alias="foo" key-password="foo1234"/>
      </ssl>
   </server-identities>
   <authentication>
      <truststore path="foo.truststore" relative-to="jboss.server.config.dir" keystore-password="foo1234"/>
   </authentication>
</security-realm>

Note that I reuse the same keystore for server and clients here. And since my clients are ATM in the same WF node during development, I had to setup the client-side part there, too:

<system-properties>
    <property name="javax.net.ssl.trustStore" value="${jboss.server.config.dir}/foo.keystore"/>
    <property name="javax.net.ssl.trustStorePassword" value="foo1234"/>
    <property name="org.jboss.security.ignoreHttpsHost" value="true"/>
</system-properties>

The last property should be replaced in WF 9+ with cxf.tls-client.disableCNCheck.

Let webservice use SSL

1 Answers1