B4J Tutorial [Server] SSL Connections

Discussion in 'B4J Tutorials' started by Erel, Apr 21, 2014.

  1. Erel

    Erel Administrator Staff Member Licensed User

    Starting from B4J v2.00 the server can listen to two ports, the standard insecure port (http) and a secure port (https).

    The default port for http is 80 and for https is 443. These ports are used when the url doesn't explicitly specify a port number.

    It is recommended to go over the Wikipedia article to learn more about HTTPS: http://en.wikipedia.org/wiki/HTTP_Secure

    SSL connections require some configuration. First you need a keystore file that stores the public and private keys. You can either purchase a key from a certificate authority or create one yourself. In the later case the browser will show a warning as the certificate cannot be verified.

    These instructions explain how to create a key: http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Generating_Keys_and_Certificates_with_JDK_keytool

    The server configuration is done with SslConfiguration object. This code should be called before the server is stared.
    Code:
    Private Sub ConfigureSSL (SslPort As Int)
       
    'example of SSL connector configuration
       Dim ssl As SslConfiguration
       ssl.Initialize
       ssl.SetKeyStorePath(
    File.DirApp, "test2.keystore"'path to keystore file
       ssl.KeyStorePassword = "123456"
       ssl.KeyManagerPassword = 
    "654321"
       srvr.SetSslConfiguration(ssl, SslPort)
       
    'add filter to redirect all traffic from http to https (optional)
       srvr.AddFilter("/*""HttpsFilter"False)
    End Sub
    We need to create a SslConfiguration object and set the path and passwords of the keystore file.
    Then we call Server.SetSslConfiguration with the configuration object and the https port we want to listen to.


    We can use a Filter class to redirect all http traffic to https:
    Code:
    'Return True to allow the request to proceed.
    Public Sub Filter(req As ServletRequest, resp As ServletResponseAs Boolean
       
    If req.Secure Then
         
    Return True
       
    Else
         resp.SendRedirect(req.FullRequestURI.Replace(
    "http:""https:") _
           .Replace(Main.srvr.Port, Main.srvr.SslPort))
         
    Return False
       
    End If
    End Sub
    This code checks whether the request is a secure request. If not it redirects the request to the https port and sets the scheme to https.

    Note that trying to connect with http to the https port or with https to the http port will result with an error.

    Filters do not apply to web sockets. You can use WebSocket.Secure to make sure that a secure connection has been made (this will be the case if the current request is a https request, unless someone has tampered the JavaScript code).
     
    Last edited: Jun 17, 2018
  2. Fabrice La

    Fabrice La Active Member Licensed User

    Hi Erel,

    without ssl everything work good.
    But if I try to use ssl connection, not error message:
    I f I use the url http://http://192.168.52.101:52084/ The browser goes to https://192.168.52.101:52088/ and says the connection has been stopped
     
  3. Erel

    Erel Administrator Staff Member Licensed User

    The filter redirects the traffic to the https port.

    How did you create the key?
     
  4. Fabrice La

    Fabrice La Active Member Licensed User

    Yes I saw that when you try http it redirect to https

    I used keytool
    And if I used "keystore Explorer" I can read certificat

    But in https nothing works ...
     
  5. Erel

    Erel Administrator Staff Member Licensed User

    Please start a new thread for this question / issue. Create a temporary keystore file and upload the project with the keystore file so we can test it.
     
  6. LucaMs

    LucaMs Expert Licensed User

    Where is that "keytool"?

    Should I install that IBM "KeyMan", instead of keytool?
     
  7. Erel

    Erel Administrator Staff Member Licensed User

    keytool program is included in Java JDK. You can find it under <java>\bin
     
  8. LucaMs

    LucaMs Expert Licensed User

    Thank you
     
  9. LucaMs

    LucaMs Expert Licensed User

    I'm tired. Surely!

    First you need a keystore file that stores the public and private keys.

    Keys: in your example you used only a pair for the keystore or i'm wrong?

    Then can I use the keys stored in the keystore to allow access to some entity (person, app, ...)? How? Adding other filters and checking...?

    From italian Wikipedia - HTTPS:
    Questa tecnologia quindi può essere usata anche per permettere un accesso limitato ad un web server. L'amministratore spesso crea dei certificati per ogni utente che vengono caricati nei loro browser contenenti informazioni come il relativo nome e indirizzo e-mail in modo tale da permettere al server di riconoscere l'utente nel momento in cui quest'ultimo tenti di riconnettersi senza immettere nome utente e/o password.
    ---
    This technology can therefore be used also to allow a limited access to a web server. The administrator often creates certificates for each user that are loaded in their browsers contain information such as a name and email address in such a way as to allow the server to recognize the user when he tries to reconnect without enter his username and/or password.
    ---


    Altruist suggestion: the best answer would be to edit the project attached to this post. :D


    [P.S. Perhaps, for my example, the password for accessing CCTV, SslConfiguration object and the filter are sufficient (ie the transfer of pw between the browser and the server becomes safe) and the other keys are used for other "individual controls".
    Let's try.]
     
    Last edited: Aug 1, 2014
  10. LucaMs

    LucaMs Expert Licensed User

    Generating Keys and Certificates with JDK keytool

    This command prompts for information about the certificate and for passwords to protect both the keystore and the keys within it. The only mandatory response is to provide the fully qualified host name of the server at the "first and last name" prompt.

    My fully qualified host name of the server actually can be only "localhost" or my pc's ip address :eek: I hope that it will be accepted.
     
  11. LucaMs

    LucaMs Expert Licensed User

    ssl.KeyManagerPassword = "654321" ???

    I ran the command as the page of the link:
    These instructions explain how to create a key: http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Generating_Keys_and_Certificates_with_JDK_keytool

    keytool -keystore NameOfMyKeystore.keystore -alias jetty -genkey -keyalg RSA

    executing: keytool -keystore NameOfMyKeystore.keystore -list
    I get the jetty's key/value.

    KeyManagerPassword???


    [P.S. I have tried to use the jetty's pw for KeyManagerPassword and SEEMS to work]
     
    Last edited: Aug 2, 2014
  12. LucaMs

    LucaMs Expert Licensed User

    Code:
    'Return True to allow the request to proceed.
    Public Sub Filter(req As ServletRequest, resp As ServletResponseAs Boolean
      
    If req.Secure Then
        
    Return True
      
    Else
        resp.SendRedirect(req.FullRequestURI.Replace(
    "http:""https:") _
          .Replace(Main.srvr.Port, Main.srvr.SslPort))
        
    Return False
      
    End If
    End Sub
    It can't be compiled, because Main.srvr is declared as Private. I change it to Public, hoping that this is not a problem.


    [P.S. create two public variables for the two ports is a better choice:
    Code:
    resp.SendRedirect(req.FullRequestURI.Replace("http:""https:") _
          .Replace(Main.ServerPort, Main.ServerSSLPort))
    ]
     
    Last edited: Aug 2, 2014
  13. Erel

    Erel Administrator Staff Member Licensed User

    Why is it better???
    It is better to get the values directly from the server object.

    The qualified name should be your ip address.
     
  14. LucaMs

    LucaMs Expert Licensed User

    I thought I was weird avoid interventions on a server spread across other handlers.


    To me is not clear the use of SSLConfiguration, the keystore and the filter.

    I have tried to use the filter by matching it to a subfolder but it seems that it only works with "/ *" (but I may have gotten lost, surely).

    Again with reference to CCTV (but only as an example) I would only use HTTPS to login. The redirection occurs but then the other handlers are not executed.

    Should we use the entries in the keystore for user credentials?

    Questa tecnologia quindi può essere usata anche per permettere un accesso limitato ad un web server. L'amministratore spesso crea dei certificati per ogni utente che vengono caricati nei loro browser contenenti informazioni come il relativo nome e indirizzo e-mail in modo tale da permettere al server di riconoscere l'utente nel momento in cui quest'ultimo tenti di riconnettersi senza immettere nome utente e/o password.
     
    Last edited: Aug 3, 2014
  15. Erel

    Erel Administrator Staff Member Licensed User

    The keystore is only used to store the server certificate (and keys). It is not related to any other authentication mechanism that you use.
     
  16. avacondios

    avacondios Active Member Licensed User

    Hi Erel,

    for the SSL ... does it support SSL from Thawte ?
     
  17. Erel

    Erel Administrator Staff Member Licensed User

    It should work with any valid certificate.
     
  18. tchart

    tchart Active Member Licensed User

    JakeBullet70 and Erel like this.
  19. dar2o3

    dar2o3 Active Member Licensed User

    Hello, I try to operate the keys provided by let's encrypt .pem format but do not get any satisfactory result, somebody to get it?
     
  20. dar2o3

    dar2o3 Active Member Licensed User

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice