Jetty 9, jetty-runner HTTPS XML configuration

Recently my colleague Daniel and I were tasked with configuring an application that runs using the jetty-runner server to use SSL/HTTPS using XML. Googling around yielded plenty of information about how to do this programmatically using embedded Jetty, but we couldn't seem to find a complete example for this particular use case.

The application packaged as a WAR file runs using a command line similar to:

java -jar jetty-runner.jar application.war

By extrapolating from the programmatic examples for embedded Jetty, and the example Jetty configuration XML documents for Jetty 9, this is the XML configuration we ended up with

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">

<Configure id="Server" class="org.eclipse.jetty.server.Server">
    <!-- Force all communication over secure channels. -->
    <Set name="handler">
        <New id="Handlers" class="org.eclipse.jetty.server.handler.HandlerCollection">
            <Set name="handlers">
                <Array type="org.eclipse.jetty.server.Handler">
                    <Item>
                        <New id="SecuredRedirectHandler" class="org.eclipse.jetty.server.handler.SecuredRedirectHandler" />
                    </Item>
                    <Item>
                        <New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection" />
                    </Item>
                    <Item>
                        <New id="DefaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler" />
                    </Item>
                </Array>
            </Set>
        </New>
    </Set>

    <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
        <Set name="secureScheme">https</Set>
        <Set name="securePort">8443</Set>
    </New>

    <New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration">
        <Call name="addCustomizer">
            <Arg>
                <New class="org.eclipse.jetty.server.SecureRequestCustomizer" />
            </Arg>
        </Call>
    </New>

    <New id="connector" class="org.eclipse.jetty.server.ServerConnector">
        <Arg name="server">
            <Ref refid="Server" />
        </Arg>
        <Arg name="factories">
            <Array type="org.eclipse.jetty.server.ConnectionFactory">
                <Item>
                    <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                        <Arg name="config">
                            <Ref refid="httpConfig" />
                        </Arg>
                    </New>
                </Item>
            </Array>
        </Arg>

        <Set name="port">8080</Set>
    </New>

    <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
        <Set name="KeyStorePath">/home/user/keystore</Set>
        <Set name="KeyStorePassword">super secret phrase</Set>
    </New>

    <New id="sslConnectionFactory" class="org.eclipse.jetty.server.SslConnectionFactory">
        <Arg name="sslContextFactory">
            <Ref refid="sslContextFactory" />
        </Arg>
        <Arg name="next">http/1.1</Arg>
    </New>

    <New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
        <Arg name="server">
            <Ref refid="Server" />
        </Arg>
        <Arg name="factories">
            <Array type="org.eclipse.jetty.server.ConnectionFactory">
                <Item>
                    <Ref refid="sslConnectionFactory" />
                </Item>
                <Item>
                    <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                        <Arg name="config">
                            <Ref refid="httpsConfig" />
                        </Arg>
                    </New>
                </Item>
            </Array>
        </Arg>

        <Set name="port">8443</Set>
    </New>

    <Call name="setConnectors">
        <Arg>
            <Array type="org.eclipse.jetty.server.ServerConnector">
                <Item>
                    <Ref refid="connector" />
                </Item>
                <Item>
                    <Ref refid="sslConnector" />
                </Item>
            </Array>
        </Arg>
    </Call>
</Configure>

This configuration forces all communication over HTTPS, redirecting any HTTP requests to the secure channel. If you don't require this restriction then remove the org.eclipse.jetty.server.handler.SecuredRedirectHandler definition.

To use this configuration we adjust the command line as follows:

java -jar jetty-runner.jar --config jetty-config.xml application.war

For information of setting up the keystore please refer to the jetty documentation.

Hopefully this will save others some time.

This site uses cookies. Continue to use the site as normal if you are happy with this, or read more about cookies and how to manage them.

X