How can I programmatically enable WSS for a Tyrus WebSocket @ServerEndpoint

Question

I have a microservice that has a REST endpoint and a WebSocket endpoint.

It Spring-wires Grizzly and Tyrus, and adds in authentication via SSO using a JAX-RS filter and a ServerEndpointConfig.Configurator. I've added in SSL to the REST endpoint using SSLContextConfigurator and SSLEngineConfigurator and a (currently) self-signed certificate.

I don't see a way to do the same for org.glassfish.tyrus.server.Server in Tyrus 1.14.

In fact, the code hardwires the protocol name, which makes me wonder if this is even possible:

LOGGER.info("WebSocket Registered apps: URLs all start with ws://" + this.hostName + ":" + this.getPort());

There's a similar question here but it requires deploying a WAR file to a full-on Glassfish instance. I want to do this programmatically.

Answer 1

I managed to get this working using a variation of the above. However, I strongly advise against it as the performance is terrible. This is nothing to do with Tyrus or Grizzly, but with Java. The SSL library in Java is notoriously slow, and since Grizzly uses Java, any WSS is going to be affected.

Apparently Jetty and Tomcat provide a way to use OpenSSL instead of the standard Java SSL. Alternatively, use a SSL terminator (e.g. Apache web server or HAProxy) that deals with the SSL and passes a standard WS connection to your server

Answer 2

Solved using the suggestion at https://stackoverflow.com/a/27239122/17641

listener = new NetworkListener("grizzly", "0.0.0.0", port); listener.setSecure(true); listener.setSSLEngineConfig(new SSLEngineConfigurator(getSslContextConfigurator()).setClientMode(false).setNeedClientAuth(false));

Where getSslContextConfigurator constructs a org.glassfish.grizzly.ssl.SSLContextConfigurator with a keystore byte[] and password.