Enable SSL for specific context-path in Karaf Jetty

0
votes

I have a jax-rs service deployed in Karaf container v4.2.3 with jetty v9.4.12 and the service is deployed under /services context-path as shown in the picture.

enter image description here

I have managed to enable ssl client auth in Karaf Jetty but the problem is that it enables it globally which causes system console to become inaccessible.

Here is the config I used in org.ops4j.pax.web.cfg

org.osgi.service.http.enabled=false

org.osgi.service.http.secure.enabled=true
org.osgi.service.http.secure.enabled=true
org.osgi.service.http.port.secure=8443
org.ops4j.pax.web.ssl.keystore=./etc/keystores/server-keystore.p12
org.ops4j.pax.web.ssl.truststore=etc/keystores/server-truststore.p12
org.ops4j.pax.web.ssl.truststore.password=secret
org.ops4j.pax.web.ssl.key.password=secret
org.ops4j.pax.web.ssl.keystore.password=secret
org.ops4j.pax.web.ssl.clientauthneeded=true

Is it possible to have SSL client auth only for the /services path and leave system console on non-ssl (http) ?

Thanks a lot

2
javassljettyapache-karafjetty-9

2 Answers

0
votes

You will need 2 ports or connectors configured. (one with SSL/TLS one without)

Then set the /services/* url-pattern to have a CONFIDENTIAL (servlet) constraint.

0
votes

As an alternative to the default connectors, it is possible to configure additional connectors in the etc/jetty.xml configuration file.

The etc/jetty.xml is a standard Eclipse Jetty configuration file. The default Apache Karaf WebContainer etc/jetty.xml contains:

<!-- Use this connector for many frequently idle connections and for
    threadless continuations. -->
<Call name="addConnector">
    <Arg>
        <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
            <Set name="host">
                <Property name="jetty.host" />
            </Set>
            <Set name="port">
                <Property name="jetty.port" default="8181" />
            </Set>
            <Set name="maxIdleTime">300000</Set>
            <Set name="Acceptors">2</Set>
            <Set name="statsOn">false</Set>
            <Set name="confidentialPort">8443</Set>
            <Set name="lowResourcesConnections">20000</Set>
            <Set name="lowResourcesMaxIdleTime">5000</Set>
        </New>
    </Arg>
</Call>
<!-- =========================================================== -->
<!-- Configure Authentication Realms -->
<!-- Realms may be configured for the entire server here, or -->
<!-- they can be configured for a specific web app in a context -->
<!-- =========================================================== -->

The SelectChannelConnector defines the default connector of the WebContainer.

This connector defines the 8181 port number for the HTTP protocol (port property), and the 8443 port number for the HTTPS protocol (confidentialPort property).

The following resources give you details about advanced etc/jetty.xml configurations:

http://wiki.eclipse.org/Jetty/Howto/Configure_SSL