You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@polygene.apache.org by Niclas Hedhman <ni...@hedhman.org> on 2017/05/21 06:02:10 UTC

library/http

Hi,

I am changing the library/restlet to use the internal Jetty server instead
of war deployment. Mainly to better tailor for "spring boot"-style of
generation in Polygene Generator.

Now, the library/http looks on paper to support HTTPS, but I am having
problem getting it working. Does anyone know if it can be made to work at
all? Any hints?


I am getting

javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:520)

when trying to connect.


I am creating empty JCEKS store and point both the truststore and keystore
to the same.

private void createKeyStore( String path, String type, String password )
    throws AssemblyException
{
    File keyFile = new File( path ).getAbsoluteFile();
    if( keyFile.exists() )
    {
        return;
    }
    if( !keyFile.getParentFile().exists() )
    {
        keyFile.getParentFile().mkdirs();
    }
    try( FileOutputStream fos = new FileOutputStream( keyFile ) )
    {
        KeyStore ks = KeyStore.getInstance( type );
        char[] pwd = password.toCharArray();
        ks.load( null, pwd );
        ks.store( fos, pwd );
    }
    catch( Exception e )
    {
        throw new AssemblyException( "Unable to create keystore.", e );
    }
}


Or is the problem simply that I also need to populate some keys?


FTR, I think the current Polygene Generator is broken.


Cheers
-- 
Niclas Hedhman, Software Developer
http://polygene.apache.org - New Energy for Java

Re: library/http

Posted by Paul Merlin <pa...@apache.org>.

Le 2017-05-21 14:59, Niclas Hedhman a écrit :
> Thanks,
> I am trying to generate certs and stuff so that a dev environment is
> operational out of the box.

Great

> Broken; The model isn't instantiated until a request is issued to the
> Restlet API, so it fails assembly in various ways, I think. No idea how 
> to
> add tests for that, but since I want a standalone executable instead, I 
> am
> thinking of not bothering either.

We could add a JUnit test in generated projects.
This would help a lot to ensure everything works, always, and we don't 
regress!
And this way, generated projects would demonstrate how to benefit from 
very good testability of Polygene applications.

WDYT?

Re: library/http

Posted by Niclas Hedhman <ni...@hedhman.org>.

Pushed 'yeoman-work' branch. Going to sleep soon.

On Sun, May 21, 2017 at 10:33 PM, Niclas Hedhman <ni...@hedhman.org> wrote:

> So, I think the library/http is a either http or https, and not both at
> the same time. Currently, I am tying the 'security' feature in the
> generator to whether or not do http or https, but ideally it should be
> both, IMHO, allowing custom decision on when/how each connector is attached.
>
> I think I should simply commit what I have locally into a branch, and push
> that up, so you can take a look. Mind you, not fully working yet.
>
>
> Cheers
>
>
> On Sun, May 21, 2017 at 9:40 PM, Paul Merlin <pa...@apache.org>
> wrote:
>
>> Also, HTTPS should be opt-in.
>> If I intend to deploy my app in some managed environment where TLS is
>> handled by a proxy I may not want to expose an HTTPS service.
>>
>> With my 3.0 release manager hat on:
>>
>> - HTTPS out of the box in generated projects could go into 3.1 if that's
>> too much hassle for now.
>> - We should add tests to generated projects for 3.0 to ensure they work
>> and won't regress.
>>
>>
>
>
> --
> Niclas Hedhman, Software Developer
> http://polygene.apache.org - New Energy for Java
>



-- 
Niclas Hedhman, Software Developer
http://polygene.apache.org - New Energy for Java

Re: library/http

Posted by Niclas Hedhman <ni...@hedhman.org>.

So, I think the library/http is a either http or https, and not both at the
same time. Currently, I am tying the 'security' feature in the generator to
whether or not do http or https, but ideally it should be both, IMHO,
allowing custom decision on when/how each connector is attached.

I think I should simply commit what I have locally into a branch, and push
that up, so you can take a look. Mind you, not fully working yet.

Cheers

On Sun, May 21, 2017 at 9:40 PM, Paul Merlin <pa...@apache.org> wrote:

> Also, HTTPS should be opt-in.
> If I intend to deploy my app in some managed environment where TLS is
> handled by a proxy I may not want to expose an HTTPS service.
>
> With my 3.0 release manager hat on:
>
> - HTTPS out of the box in generated projects could go into 3.1 if that's
> too much hassle for now.
> - We should add tests to generated projects for 3.0 to ensure they work
> and won't regress.
>
>

-- 
Niclas Hedhman, Software Developer
http://polygene.apache.org - New Energy for Java

Re: library/http

Posted by Paul Merlin <pa...@apache.org>.

Also, HTTPS should be opt-in.
If I intend to deploy my app in some managed environment where TLS is 
handled by a proxy I may not want to expose an HTTPS service.

With my 3.0 release manager hat on:

- HTTPS out of the box in generated projects could go into 3.1 if that's 
too much hassle for now.
- We should add tests to generated projects for 3.0 to ensure they work 
and won't regress.

Re: library/http

Posted by Paul Merlin <pa...@apache.org>.

Le 2017-05-21 14:59, Niclas Hedhman a écrit :
> I am trying to generate certs and stuff so that a dev environment is
> operational out of the box.

I'm getting curious :)

At what time do you generate the server certificate?

So, the generated projects will include a generated server certificate.
Looks like you also generate an empty server truststore.

Going from war deployment to using library/http, you can use the 
'application' Gradle plugin that generates start scripts and 
distributions archives easily.

Which leads me to: how are these keystores packaged in the built 
applications?

It would also be nice to provide a client truststore so it's easy to get 
started trusting the server.
It could then be used by test clients.

Re: library/http

Posted by Niclas Hedhman <ni...@hedhman.org>.

Thanks,
I am trying to generate certs and stuff so that a dev environment is
operational out of the box.

Broken; The model isn't instantiated until a request is issued to the
Restlet API, so it fails assembly in various ways, I think. No idea how to
add tests for that, but since I want a standalone executable instead, I am
thinking of not bothering either.

Cheers
Niclas



On Sun, May 21, 2017 at 7:37 PM, Paul Merlin <pa...@apache.org> wrote:

> Le 2017-05-21 08:02, Niclas Hedhman a écrit :
>
>> Hi,
>>
>> I am changing the library/restlet to use the internal Jetty server instead
>> of war deployment. Mainly to better tailor for "spring boot"-style of
>> generation in Polygene Generator.
>>
>
> Cool
>
> Now, the library/http looks on paper to support HTTPS, but I am having
>> problem getting it working. Does anyone know if it can be made to work at
>> all? Any hints?
>>
>>
>> I am getting
>>
>> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478)
>> at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
>> at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
>> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
>> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
>> at
>> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.
>> fill(SslConnection.java:520)
>>
>> when trying to connect.
>>
>>
>> I am creating empty JCEKS store and point both the truststore and keystore
>> to the same.
>>
>
> TLS works, see SecureJettyServiceTest and MutualSecureJettyServiceTest.
>
> It will need at least a server certificate including its private key to
> work though.
>
>
> FTR, I think the current Polygene Generator is broken.
>>
>
> In what way?
> If you find failures not catched by the :tools:generator-polygene:npmTest
> build task, then please add some tests.
>
>
>


-- 
Niclas Hedhman, Software Developer
http://polygene.apache.org - New Energy for Java

Re: library/http

Posted by Paul Merlin <pa...@apache.org>.

Le 2017-05-21 08:02, Niclas Hedhman a écrit :
> Hi,
> 
> I am changing the library/restlet to use the internal Jetty server 
> instead
> of war deployment. Mainly to better tailor for "spring boot"-style of
> generation in Polygene Generator.

Cool

> Now, the library/http looks on paper to support HTTPS, but I am having
> problem getting it working. Does anyone know if it can be made to work 
> at
> all? Any hints?
> 
> 
> I am getting
> 
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478)
> at 
> sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
> at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
> at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:520)
> 
> when trying to connect.
> 
> 
> I am creating empty JCEKS store and point both the truststore and 
> keystore
> to the same.

TLS works, see SecureJettyServiceTest and MutualSecureJettyServiceTest.

It will need at least a server certificate including its private key to 
work though.


> FTR, I think the current Polygene Generator is broken.

In what way?
If you find failures not catched by the 
:tools:generator-polygene:npmTest build task, then please add some 
tests.