Related questions

Secure API JAX-RS API with ssl certificate over Jetty Server

2022-05-06 20:32 ppb imported from Stackoverflow

I have Jax-RS REST API with Jetty Server in my Java 8 application. I am new to securing the REST API. I have .pem file (certificate) in some path. I want to use this certificate to validate the incoming request API. Can someone point me a working example that how to validate APIs with ssl certificate? Is there any way that I can validate only single API and not all.

1 answer

  • answered 2022-05-06 21:13 Joakim Erdfelt

    SSL/TLS based authentication of a client certificate occurs very early in the connections/conversation with an HTTP server.

    In java it happens entirely within the JVMs SSLEngine layer.

    Basically like this (simplified)

    1. Client connects to port 443
    2. Jetty accepts the connection
    3. Jetty tests to see what kind of traffic it is
    4. Jetty sees that it's encrypted and sends the traffic through the JVM SSLEngine layer.
    5. TLS negotiates encryption (JVM code)
    6. TLS negotiates client certificate (JVM code)
    7. Connection is established (JVM code)
    8. Jetty reads the decrypted traffic on the connection and starts to parse the request
    9. Jetty creates the request object and dispatches to the web app.
    10. Web app (your REST layer) now handles the request and produces a response.

    By the time the request reaches your API the client certificate has already been verified / validated by the TLS layer.

    You will only ever receive requests that satisfy that layer.

    You have the optional feature SecureRequestCustomizer that will include Request attributes that contains information from TLS layer, by way of the JVM's post-negotiated TLS layer.

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum

See also questions close to this topic

  • How to get remaining time of the day in java?

    I would like to calculate the time remaining for next day 00:00:00 from the current date time.

    For e.g. time difference between 2022-05-07T05:49:41.883807900Z and 2022-05-08T00:00:00Z

    Expected answer: 18:10:19 or 65419 (in seconds).

    How can I achieve this with efficiently using java 8?

  • Java stream min/max of separate variables

    How can I determine both the min and max of different attributes of objects in a stream?

    I've seen answers on how get min and max of the same variable. I've also seen answers on how to get min or max using a particular object attribute (e.g. maxByAttribute()). But how do I get both the min of all the "x" attributes and the max of all the "y" attributes of objects in a stream?

    Let's say I have a Java Stream<Span> with each object having a Span.getStart() and Span.getEnd() returning type long. (The units are irrelevant; it could be time or planks on a floor.) I want to get the minimum start and the maximum end, e.g. to represent the minimum span covering all the spans. Of course, I could create a loop and manually update mins and maxes, but is there a concise and efficient functional approach using Java streams?

    Note that I don't want to create intermediate spans! If you want to create some intermediate Pair<Long> instance that would work, but for my purposes the Span type is special and I can't create more of them. I just want to find the minimum start and maximum end.

    Bonus for also showing whether this is possible using the new Java 12 teeing(), but for my purposes the solution must work in Java 8+.

  • How do I get config paramerters from my web.xml in Jersey?

    I have been trying to get parameters from my web.xml file from within my Jakarta JAX-RS resource. My web.xml is as follows:

    <web-app>
    <servlet>
        <servlet-name>Jersey REST Service</servlet-name>
        <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
        <init-param>
            <param-name>jersey.config.server.provider.packages</param-name>
            <param-value>terrible.package.name</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>Jersey REST Service</servlet-name>
        <url-pattern>/api/v1/*</url-pattern>
    </servlet-mapping>
    <context-param>
        <param-name>max-customers-size</param-name>
        <param-value>10</param-value>
    </context-param>
</web-app>

    In my test setup, I am running my web app with Jetty:

    public static void main(String[] args) throws Exception {
    Server server = new Server(8080);
    WebAppContext ctx = new WebAppContext("target/the-finished-servlet.war", "/");
    server.setHandler(ctx);
    server.start();
}

    And I have the following user resource defined using jakarta:

    @Path("user")
public class UserResource {

    ServletContext context;
    
    @Context
    public void setServletContext(ServletContext context) {
        this.context = context;
        System.out.println("setting to: " + context);
    }

    @GET
    @Path("/list")
    @Produces(MediaType.APPLICATION_JSON)
    public Response getListOfAllUsers(final @Context HttpHeaders hdrs) throws SQLException {
        System.out.println(context.getInitParameter("max-customers-size"));
        return Response.ok("{}").build();
    }

}

    The context is always null, which makes absolutely no sense. The setServletContext method is called, and the parameter is null. I've tried using @Context on a constructor parameter, I've tried it on my context field, and I've tried it in the getListOfAllUsers method. None of them work.

    I just want to configure my servlet (for MySQL database path and user, in this example I'm testing with max-customers-size, which doesn't matter though, because my context is null either way). Is there an easier way to get custom config data into my servlet? I want the user of my resulting war file to be able to supply things like the database port. Why isn't ServletContext working, and if there is an easier way to make my servlet configurable, how do I do that?

  • How to receive a JSON File with multiple nodes through a POST Request with JAX-RS and Jackson (Quarkus)

    When im tryin got do a Post request through my JAX-RS API it always sends a null value. I dont know if the Jackson annotations are incorrect or if i need to use an ObjectMapper.

    These are my classes:

    public class ClassA{

  private String name;
  private ClassB classB;

public ClassA(){}

public ClassA(String name, ClassB classB){
   this.name = name;
   this.classB = classB;
}

@JsonGetter
public String getName(){ return name; }
@JsonGetter
public ClassB getClassB(){ return classB; }

    and this is the classB

    public class ClassB{

@JsonProperty("type")
private String type;
@JsonProperty("number")
private int number;

public ClassB(){}

@JsonPropertyOrder({"type, number"})
public ClassB(String type, int number){
   this.type= type;
   this.number= number;
}

@JsonGetter
public String getType(){ return type; }
@JsonGetter
public int getNumber(){ return number; }

    My JSON file:

    {
  "type": "typeExample;
  "classB": {
    "type": "classBTypeExample";
    "int": 10;
  }
}

    I want Jackson to read the file and then add an Object type ClassA to a list (the problem is that is not even reading it) This is the API code:

    @Path("/path")
public class Requests {
    private Set<ClassA> classesA = Collections.newSetFromMap(Collections.synchronizedMap(new LinkedHashMap<>()));

    @GET
    public Set<ClassA> list() {
            return classesA;
        }

    @POST
    public Set<ClassA> add(ClassA classA){
        classesA.add(classA);
        return classesA;
    }
}

    I already added the quarkus.jackson.fail-on-unknown-properties=true to the application.properies file

  • curl command for LIST string data type

    I've a formal parameter as List example in webservice. How to pass curl command for the list of string to POST data.

    Appreciate your help regarding this matter. Thanks, Blessy

  • Jetty - httponly cookie not being saved in browser in embedded jetty 11

    In my web app i am setting response cookies this way:

    Cookie testCookie = new Cookie("test", "mycookie");
testCookie.setHttpOnly(true);
testCookie.setPath("/");
testCookie.setMaxAge(3600);
testCookie.setSecure(true);

response.addCookie(testCookie); // Response is of type HttpServletResponse

    The client that is performing the requests is running in localhost.

    When i look at the request in chrome, i see that cookie tab and see that the cookie was received but I cannot find this cookie in chrome when i look in the Application->Cookies tab and the other requests i do after this was done, do not send cookies.

    Also, in jetty 11 i cannot seem to be able to set the SameSite attribute of the cookie.

    How can i set this cookie and is it normal that an httpOnly cookie is not visible in the Application tab in chrome? How can i verify if it was set or not?

  • Serve html page for video streaming in embedded Jetty

    I have an embedded jetty application that has various endpoints, one of them is /stream/fileId and another one is /streamWithHTML/fileId.

    The first one gets a file with the specified id from filesystem and starts writing its contents to the response, making use of the range headers to skip to different parts of the video.

    The second endpoint is intended to do the same thing, except instead of the default browser player, i want my own custom player built with html.
    This is the code i attempted to put together until now. This returns a web page but i dont know how to handle the video stream:

            response.setContentType("text/html");
        try {
            PrintWriter writer = response.getWriter();
            String filePath1 = "path/to/file";
            String encodedFilename = URLEncoder.encode(filePath1, StandardCharsets.UTF_8);
            
            // Get an html file and then print its contents after replacing a couple of parameters
            InputStream stream = getClass().getClassLoader().getResourceAsStream("HTML/VideoPlayer/index_template.html");
            String htmlPage = IOUtils.toString(stream, StandardCharsets.UTF_8);
            htmlPage = htmlPage.replace("$title", fileEntity1.fileName);
            htmlPage = htmlPage.replace("$video_source", encodedFilename);
            writer.println(htmlPage);
            writer.flush();
            writer.close();
        } catch (IOException | NullPointerException e) {
            e.printStackTrace();
        }

    And this is the contents of the html file:

    <!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>$title</title>
</head>
<body style="background-color: #303030">

<video style="max-width: 100%; max-height: 100%;" src="$video_source"></video>

</body>
</html>

    Note that $title and $video_source are just strings i use to correctly place some values when i serve the page.

    Every solution i have tried or have seen up until now, is to serve a static video, but it is not possible for me, since the video is saved on a database.

    Additional note: the video must be accessible from outside through only one endpoint, which will be the one with the html page, so putting the video on one endpoint and then serving i in the html of another request is not an option for me.