Exposing a web service via https with JBoss FUSE

Have you ever tried to expose a JAX-WS web service via https in JBoss FUSE? Well I tried to do that recently and ran into issues. I hope this post may help you on that task.

You could start by simply stating https in the address of you jaxws:endpoint:
<jaxws:endpoint implementor="com.acme.services.MyServiceImpl"
address="https://127.0.0.1:8443/services/MyService"/>

You would the also have to configure SSL for port 8443 via httpj:engine-factory. The problem is that if you work with OSGI blueprints the documentation for that is not optimal and I feel uncomfortable to figure out a security relevant configuration by try and error.

So what I did instead is that I exposed my web service via http on localhost and put a proxy in front of it. A proxy decouples your SSL encryption from your main application. That is in general a good idea because security stuff usually has it’s own life cycle which can be quite quick. The proxy is set up through a Camel route featuring Jetty. The documentation on this approach is also far better.

Let’s have a look at my blueprint.xml. Note: You should put your proxy in a different module than your web service to get the “decoupling” advantage. This example has it in one module just for easier reading.

<?xml version="1.0" encoding="UTF-8"?>
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xmlns:jaxws="http://cxf.apache.org/blueprint/jaxws"
           xmlns:cxf="http://cxf.apache.org/blueprint/core"
           xsi:schemaLocation="http://cxf.apache.org/blueprint/core http://cxf.apache.org/schemas/blueprint/core.xsd
                               http://cxf.apache.org/blueprint/jaxws http://cxf.apache.org/schemas/blueprint/jaxws.xsd
                               http://camel.apache.org/schema/blueprint http://camel.apache.org/schema/blueprint/camel-blueprint.xsd"
        >
    <jaxws:endpoint
      implementor="com.acme.services.MyServiceImpl"
      address="http://127.0.0.1:8081/services/MyService"/>

    <camelContext
      id="jetty-for-ws-context"
      xmlns="http://camel.apache.org/schema/blueprint">

        <route>
            <!--
              Note the URI parameters:
                sslContexParametersRef points to the ssl configuration
                    further down below in this file.
                matchOnUriPrefix makes camel also server contents below
                    of services/MyService like
                    services/MyService/some/stuff.
                    This is important for web services.
             -->
            <from uri="jetty:https://0.0.0.0:8443/services/MyService?sslContextParametersRef=sslContextParameters&amp;matchOnUriPrefix=true"/>
            <!--
              Note the URI parameters here as well:
                bridgeEndpoint act as a proxy please.
                throwExceptiononFailure=false please forward errors. This
                    is important for SOAP errors to be served correctly.
             -->
            <to uri="jetty:http://127.0.0.1:8081/services/MyService?bridgeEndpoint=true&amp;throwExceptionOnFailure=false"/>
        </route>
    </camelContext>

    <sslContextParameters
      id="sslContextParameters"
      xmlns="http://camel.apache.org/schema/blueprint">
        <keyManagers keyPassword="changeit">
            <keyStore resource="/path/to/my/keystore.jks"
                      password="changeit"/>
        </keyManagers>
    </sslContextParameters>
</blueprint>

It starts with our jaxws:endpoint on localhost:8081. The camel context thereafter features the proxy configuration and last but not least there are the sslContextParameters with configuration for SSL. You could also configure ciphers and other more advanced stuff within the sslContextParameters.

The camel route is pretty simple: Take requests from https://0.0.0.0:8443/services/MyService and forward them to our internal web service on localhost:8081. Please note that the URI parameters as explained in the XML comments are quite important. For production some additional tuning parameters could be necessary, but for a basic working example that’s it. You may have a look at the camel-jetty documentation for additional parameters.

I hope this post may help you. If you’ve got further ideas or questions feel free to post a comment or send me an email to immanuel.sims |a| akquinet.de

2 thoughts on “Exposing a web service via https with JBoss FUSE

  1. Hi immanuel,

    Do you encounter issue when the WSDL is containing xsd from other file,
    supposing that when you exposing you WSDL thru cxf you will have the WSDL expose at http://127.0.0.1:8081/services/MyService?wsdl and within the WSDL itself, if there is xsd, it will show as http://127.0.0.1:8081/services/MyService?xsd=myservice.xsd

    but when you expose it thru jetty thru other domain, eg. https://yourhost:8443/…., inside the WSDL it still pointing to http://127.0.0.1:8081/services/MyService?xsd=myservice.xsd, it will having issue when access thru non localhost.

    Regards,
    CC

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s