ru4ert
Reputation: 1179
How to secure a Websocket. Apache Vhost or ServerEndpointConfig
I have a Tomcat9 webserver hosted via Apache2-Vhost.
How do I secure a websocket running on tomcat?
- Is it over a Apache Vhost certificat from letsencrypt/certbot?
- Is it in the
javax.websocket.server.ServerEndpointConfig.Configuratorof the Tomcat's Websocket class?
@Override
public void modifyHandshake(ServerEndpointConfig config, HandshakeRequest request, HandshakeResponse response) {
SSLContext csslContext = SSLContext.getInstance("TLS");
config.getUserProperties().put(Constants.SSL_CONTEXT_PROPERTY, csslContext);
config.getUserProperties().put(Constants.SSL_PROTOCOLS_PROPERTY, csslContext);
}
Upvotes: 1
Views: 301
Answers (1)
Christopher Schultz
Reputation: 20862
A Websocket connection is always started via an HTTP(S) request, upgraded to Websocket. So securing the connection between the client and the web server (or reverse proxy) is exactly the same as securing a "regular" HTTP connection.
You should never need to write any code for this, so your example #1 in your question where you are modifying the handshake isn't anything you need to consider.
You should be looking at something like #1 where you get a certificate from a Certificate Authority (CA) and install it into the reverse-proxy (httpd).
Upvotes: 2
Related Questions
- WebSocket Security Java Config
- How to add security for spring 5 websockets
- Configure secured websockets using Apache httpd 2.4.6 and Tomcat 8
- How to secure a WebSocket endpoint in Java EE?
- How to secure websocket application [Spring boot + STOMP]
- Securing a Spring messaging based websocket service
- Creating a Secure Websocket (wss) Server in Java
- Jetty: how to secure websocket connection in web.xml?
- How to secure Websocket Server in Java EE 7
- WebSocket app architecture