1

I have a Tomcat9 webserver hosted via Apache2-Vhost.

How do I secure a websocket running on tomcat?

  1. Is it over a Apache Vhost certificat from letsencrypt/certbot?
  2. Is it in the javax.websocket.server.ServerEndpointConfig.Configurator of the Tomcat's Websocket class?
@Override
public void modifyHandshake(ServerEndpointConfig config, HandshakeRequest request, HandshakeResponse response) {

  SSLContext csslContext = SSLContext.getInstance("TLS");

  config.getUserProperties().put(Constants.SSL_CONTEXT_PROPERTY, csslContext);
  config.getUserProperties().put(Constants.SSL_PROTOCOLS_PROPERTY, csslContext);
}
Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
ru4ert
  • 998
  • 2
  • 14
  • 25
  • There's no "Apache2 Tomcat" Webserver, Which one do you have? Apache httpd, or Tomcat? As you also tag Java, I'm assuming it's tomcat and edit accordingly. Correct (with explanation) if it's anything else. Also, no code being involved, I consider this question off topic on stackoverflow (see [help/on-topic]) – Olaf Kock Jul 30 '20 at 07:00
  • When you say "secure", what exactly do you mean? – Christopher Schultz Jul 31 '20 at 18:27
  • @ChristopherSchultz I mean, make the transfer of data secure. Like https does over http. – ru4ert Jul 31 '20 at 18:52
  • So you want to secure the communication channel between the reverse proxy (Apache httpd?) and Tomcat? How are they currently connected? (e.g. what protocol / httpd modules are in play)? – Christopher Schultz Jul 31 '20 at 19:02
  • @ChristopherSchultz I want to secure the channel form the Client, a webbrowser/website, to the tomcat9 webserver. The tomcat 9 webserver is local hostet on 8080, as default at many applications, and my apache server is connected over the tomcat connecter. Important is, that the websocket connection to the apache is secure. – ru4ert Jul 31 '20 at 19:22

1 Answers1

2

A Websocket connection is always started via an HTTP(S) request, upgraded to Websocket. So securing the connection between the client and the web server (or reverse proxy) is exactly the same as securing a "regular" HTTP connection.

You should never need to write any code for this, so your example #1 in your question where you are modifying the handshake isn't anything you need to consider.

You should be looking at something like #1 where you get a certificate from a Certificate Authority (CA) and install it into the reverse-proxy (httpd).

Christopher Schultz
  • 20,221
  • 9
  • 60
  • 77