You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@polygene.apache.org by Niclas Hedhman <ni...@hedhman.org> on 2017/05/21 06:02:10 UTC
library/http
Hi,
I am changing the library/restlet to use the internal Jetty server instead
of war deployment. Mainly to better tailor for "spring boot"-style of
generation in Polygene Generator.
Now, the library/http looks on paper to support HTTPS, but I am having
problem getting it working. Does anyone know if it can be made to work at
all? Any hints?
I am getting
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at
org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:520)
when trying to connect.
I am creating empty JCEKS store and point both the truststore and keystore
to the same.
private void createKeyStore( String path, String type, String password )
throws AssemblyException
{
File keyFile = new File( path ).getAbsoluteFile();
if( keyFile.exists() )
{
return;
}
if( !keyFile.getParentFile().exists() )
{
keyFile.getParentFile().mkdirs();
}
try( FileOutputStream fos = new FileOutputStream( keyFile ) )
{
KeyStore ks = KeyStore.getInstance( type );
char[] pwd = password.toCharArray();
ks.load( null, pwd );
ks.store( fos, pwd );
}
catch( Exception e )
{
throw new AssemblyException( "Unable to create keystore.", e );
}
}
Or is the problem simply that I also need to populate some keys?
FTR, I think the current Polygene Generator is broken.
Cheers
--
Niclas Hedhman, Software Developer
http://polygene.apache.org - New Energy for Java
Re: library/http
Posted by Paul Merlin <pa...@apache.org>.
Le 2017-05-21 14:59, Niclas Hedhman a écrit :
> Thanks,
> I am trying to generate certs and stuff so that a dev environment is
> operational out of the box.
Great
> Broken; The model isn't instantiated until a request is issued to the
> Restlet API, so it fails assembly in various ways, I think. No idea how
> to
> add tests for that, but since I want a standalone executable instead, I
> am
> thinking of not bothering either.
We could add a JUnit test in generated projects.
This would help a lot to ensure everything works, always, and we don't
regress!
And this way, generated projects would demonstrate how to benefit from
very good testability of Polygene applications.
WDYT?
Re: library/http
Posted by Niclas Hedhman <ni...@hedhman.org>.
Pushed 'yeoman-work' branch. Going to sleep soon.
On Sun, May 21, 2017 at 10:33 PM, Niclas Hedhman <ni...@hedhman.org> wrote:
> So, I think the library/http is a either http or https, and not both at
> the same time. Currently, I am tying the 'security' feature in the
> generator to whether or not do http or https, but ideally it should be
> both, IMHO, allowing custom decision on when/how each connector is attached.
>
> I think I should simply commit what I have locally into a branch, and push
> that up, so you can take a look. Mind you, not fully working yet.
>
>
> Cheers
>
>
> On Sun, May 21, 2017 at 9:40 PM, Paul Merlin <pa...@apache.org>
> wrote:
>
>> Also, HTTPS should be opt-in.
>> If I intend to deploy my app in some managed environment where TLS is
>> handled by a proxy I may not want to expose an HTTPS service.
>>
>> With my 3.0 release manager hat on:
>>
>> - HTTPS out of the box in generated projects could go into 3.1 if that's
>> too much hassle for now.
>> - We should add tests to generated projects for 3.0 to ensure they work
>> and won't regress.
>>
>>
>
>
> --
> Niclas Hedhman, Software Developer
> http://polygene.apache.org - New Energy for Java
>
--
Niclas Hedhman, Software Developer
http://polygene.apache.org - New Energy for Java
Re: library/http
Posted by Niclas Hedhman <ni...@hedhman.org>.
So, I think the library/http is a either http or https, and not both at the
same time. Currently, I am tying the 'security' feature in the generator to
whether or not do http or https, but ideally it should be both, IMHO,
allowing custom decision on when/how each connector is attached.
I think I should simply commit what I have locally into a branch, and push
that up, so you can take a look. Mind you, not fully working yet.
Cheers
On Sun, May 21, 2017 at 9:40 PM, Paul Merlin <pa...@apache.org> wrote:
> Also, HTTPS should be opt-in.
> If I intend to deploy my app in some managed environment where TLS is
> handled by a proxy I may not want to expose an HTTPS service.
>
> With my 3.0 release manager hat on:
>
> - HTTPS out of the box in generated projects could go into 3.1 if that's
> too much hassle for now.
> - We should add tests to generated projects for 3.0 to ensure they work
> and won't regress.
>
>
--
Niclas Hedhman, Software Developer
http://polygene.apache.org - New Energy for Java
Re: library/http
Posted by Paul Merlin <pa...@apache.org>.
Also, HTTPS should be opt-in.
If I intend to deploy my app in some managed environment where TLS is
handled by a proxy I may not want to expose an HTTPS service.
With my 3.0 release manager hat on:
- HTTPS out of the box in generated projects could go into 3.1 if that's
too much hassle for now.
- We should add tests to generated projects for 3.0 to ensure they work
and won't regress.
Re: library/http
Posted by Paul Merlin <pa...@apache.org>.
Le 2017-05-21 14:59, Niclas Hedhman a écrit :
> I am trying to generate certs and stuff so that a dev environment is
> operational out of the box.
I'm getting curious :)
At what time do you generate the server certificate?
So, the generated projects will include a generated server certificate.
Looks like you also generate an empty server truststore.
Going from war deployment to using library/http, you can use the
'application' Gradle plugin that generates start scripts and
distributions archives easily.
Which leads me to: how are these keystores packaged in the built
applications?
It would also be nice to provide a client truststore so it's easy to get
started trusting the server.
It could then be used by test clients.
Re: library/http
Posted by Niclas Hedhman <ni...@hedhman.org>.
Thanks,
I am trying to generate certs and stuff so that a dev environment is
operational out of the box.
Broken; The model isn't instantiated until a request is issued to the
Restlet API, so it fails assembly in various ways, I think. No idea how to
add tests for that, but since I want a standalone executable instead, I am
thinking of not bothering either.
Cheers
Niclas
On Sun, May 21, 2017 at 7:37 PM, Paul Merlin <pa...@apache.org> wrote:
> Le 2017-05-21 08:02, Niclas Hedhman a écrit :
>
>> Hi,
>>
>> I am changing the library/restlet to use the internal Jetty server instead
>> of war deployment. Mainly to better tailor for "spring boot"-style of
>> generation in Polygene Generator.
>>
>
> Cool
>
> Now, the library/http looks on paper to support HTTPS, but I am having
>> problem getting it working. Does anyone know if it can be made to work at
>> all? Any hints?
>>
>>
>> I am getting
>>
>> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478)
>> at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
>> at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
>> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
>> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
>> at
>> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.
>> fill(SslConnection.java:520)
>>
>> when trying to connect.
>>
>>
>> I am creating empty JCEKS store and point both the truststore and keystore
>> to the same.
>>
>
> TLS works, see SecureJettyServiceTest and MutualSecureJettyServiceTest.
>
> It will need at least a server certificate including its private key to
> work though.
>
>
> FTR, I think the current Polygene Generator is broken.
>>
>
> In what way?
> If you find failures not catched by the :tools:generator-polygene:npmTest
> build task, then please add some tests.
>
>
>
--
Niclas Hedhman, Software Developer
http://polygene.apache.org - New Energy for Java
Re: library/http
Posted by Paul Merlin <pa...@apache.org>.
Le 2017-05-21 08:02, Niclas Hedhman a écrit :
> Hi,
>
> I am changing the library/restlet to use the internal Jetty server
> instead
> of war deployment. Mainly to better tailor for "spring boot"-style of
> generation in Polygene Generator.
Cool
> Now, the library/http looks on paper to support HTTPS, but I am having
> problem getting it working. Does anyone know if it can be made to work
> at
> all? Any hints?
>
>
> I am getting
>
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478)
> at
> sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
> at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
> at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:520)
>
> when trying to connect.
>
>
> I am creating empty JCEKS store and point both the truststore and
> keystore
> to the same.
TLS works, see SecureJettyServiceTest and MutualSecureJettyServiceTest.
It will need at least a server certificate including its private key to
work though.
> FTR, I think the current Polygene Generator is broken.
In what way?
If you find failures not catched by the
:tools:generator-polygene:npmTest build task, then please add some
tests.