为Karaf Jetty中的特定上下文路径启用SSL
[英]Enable SSL for specific context-path in Karaf Jetty
问题描述
I have a jax-rs service deployed in Karaf container v4.2.3 with jetty v9.4.12 and the service is deployed under /services context-path as shown in the picture. 
我在jaft v9.4.12的Karaf容器v4.2.3中部署了一个jax-rs服务,该服务部署在/ services context-path下,如图所示。
I have managed to enable ssl client auth in Karaf Jetty but the problem is that it enables it globally which causes system console to become inaccessible. 我已经设法在Karaf Jetty中启用ssl客户端身份验证,但是问题在于它在全局范围内启用了它,这导致系统控制台无法访问。
Here is the config I used in org.ops4j.pax.web.cfg 这是我在org.ops4j.pax.web.cfg中使用的配置
org.osgi.service.http.enabled=false
org.osgi.service.http.secure.enabled=true
org.osgi.service.http.secure.enabled=true
org.osgi.service.http.port.secure=8443
org.ops4j.pax.web.ssl.keystore=./etc/keystores/server-keystore.p12
org.ops4j.pax.web.ssl.truststore=etc/keystores/server-truststore.p12
org.ops4j.pax.web.ssl.truststore.password=secret
org.ops4j.pax.web.ssl.key.password=secret
org.ops4j.pax.web.ssl.keystore.password=secret
org.ops4j.pax.web.ssl.clientauthneeded=true
Is it possible to have SSL client auth only for the /services path and leave system console on non-ssl (http) ? 是否可以仅对/ services路径进行SSL客户端身份验证,并将系统控制台保留在非SSL(http)上?
Thanks a lot 非常感谢
2 个解决方案
解决方案1
0 2019-09-09 11:58:14
You will need 2 ports or connectors configured. 您将需要配置2个端口或连接器。 (one with SSL/TLS one without) (一个使用SSL / TLS,一个不使用)
Then set the /services/* url-pattern to have a CONFIDENTIAL (servlet) constraint. 然后将/services/* url-pattern设置为具有CONFIDENTIAL(servlet)约束。
解决方案2
0 2019-09-09 13:54:48
As an alternative to the default connectors, it is possible to configure additional connectors in the etc/jetty.xml configuration file. 作为默认连接器的替代方法,可以在etc/jetty.xml配置文件中配置其他连接器。
The etc/jetty.xml is a standard Eclipse Jetty configuration file. etc / jetty.xml是标准的Eclipse Jetty配置文件。 The default Apache Karaf WebContainer etc/jetty.xml contains: 默认的Apache Karaf WebContainer etc / jetty.xml包含:
<!-- Use this connector for many frequently idle connections and for
threadless continuations. -->
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
<Set name="host">
<Property name="jetty.host" />
</Set>
<Set name="port">
<Property name="jetty.port" default="8181" />
</Set>
<Set name="maxIdleTime">300000</Set>
<Set name="Acceptors">2</Set>
<Set name="statsOn">false</Set>
<Set name="confidentialPort">8443</Set>
<Set name="lowResourcesConnections">20000</Set>
<Set name="lowResourcesMaxIdleTime">5000</Set>
</New>
</Arg>
</Call>
<!-- =========================================================== -->
<!-- Configure Authentication Realms -->
<!-- Realms may be configured for the entire server here, or -->
<!-- they can be configured for a specific web app in a context -->
<!-- =========================================================== -->
The SelectChannelConnector defines the default connector of the WebContainer. SelectChannelConnector定义WebContainer的默认连接器。
This connector defines the 8181 port number for the HTTP protocol (port property), and the 8443 port number for the HTTPS protocol (confidentialPort property). 此连接器定义HTTP协议的8181端口号(端口属性)和HTTPS协议的8443端口号(confidentialPort属性)。
The following resources give you details about advanced etc/jetty.xml configurations: 以下资源为您提供了有关高级etc / jetty.xml配置的详细信息:
http://wiki.eclipse.org/Jetty/Howto/Configure_SSL http://wiki.eclipse.org/Jetty/Howto/Configure_SSL
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.