How to secure a Websocket. Apache Vhost or ServerEndpointConfig
Question
I have a Tomcat9 webserver hosted via Apache2-Vhost.
How do I secure a websocket running on tomcat?
- Is it over a Apache Vhost certificat from letsencrypt/certbot?
- Is it in the
javax.websocket.server.ServerEndpointConfig.Configuratorof the Tomcat's Websocket class?
@Override
public void modifyHandshake(ServerEndpointConfig config, HandshakeRequest request, HandshakeResponse response) {
SSLContext csslContext = SSLContext.getInstance("TLS");
config.getUserProperties().put(Constants.SSL_CONTEXT_PROPERTY, csslContext);
config.getUserProperties().put(Constants.SSL_PROTOCOLS_PROPERTY, csslContext);
}
1 answers
solution1
2 ACCPTED 2020-07-31 19:53:17
A Websocket connection is always started via an HTTP(S) request, upgraded to Websocket. So securing the connection between the client and the web server (or reverse proxy) is exactly the same as securing a "regular" HTTP connection.
You should never need to write any code for this, so your example #1 in your question where you are modifying the handshake isn't anything you need to consider.
You should be looking at something like #1 where you get a certificate from a Certificate Authority (CA) and install it into the reverse-proxy (httpd).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.