By default Glassfish listens to http on port 8080 and https on port 8181.
It is better to listen to the default ports 80 for http and 443 for https, usually you dont want the user to enter port numbers as part of the URL.
Even the Glassfish Admin Console allows to change the ports (Configurations/Server Config/Network Config/Network Listener), certain server OS such as Ubuntu do not allow non-root users (you should run Glassfish as separate user !) to ports below 1024. We can achieve this by port rerouting with the iptables command (under Ubuntu)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8181
iptables-save -c > /etc/iptables.rules
iptables-restore < /etc/iptables.rules
iptables-restore < /etc/iptables.rules
Additionally you can get a proper SSL certificate to stop annoying the user with a no proper certificate warning. See previous tutorial here.
SSL Error (Chrome)
If you operate an enterprise application with a known URL to the users, unlike a regular website where the portal should be reached with regular http, I would completely disable regular http.
After almost 3 years (see previous post) I revisit the topic this time using the latest version og Glassfish 3.1.2 and GoDaddy as certificate provider. I created a certificate for a sub-domain (sub.whateverdomain.com) this time and make use of the extremly cheap 5.99 U$/year offer (no wildcard included)
Let me summarize the key steps here: Continue reading
UPDATE 2013-03-22: Please check the updated tutorial with GoDaddy and Glassfish V3.1.2 here.
At some stage developing web applications (operating outside you fix lan-wired, “secure” in-house network), your customer will hit you asking “How secure is my data ? Can I access the system via https and get the golden lock ?”. You will quickly answer “No problem ! We use Glassfish” (just because you remember vaguely seeing some https settings in the GF admin tool). It is indeed not that hard to get started but if you are not an security expert and not joggling certificates around, it might take you a while to get your web application running with the golden lock. I will summarize the steps in this tutorial to setup a Glassfish V3 domain running with https. Please feel free to comment and feedback, I am not an security expert either (…yet).
Used for this tutorial:
- Glassfish V3
- Java keytool
- Free 90 days SSL certificate from Comodo (link)
- A server with an IP address and/or domain (www.somedomain.com). We need to be the owner of the domain (or at least the technical contact, more on that later)
- Basic knowledge of navigating around the Glassfish admin tool
- There are dozens of providers that sell you SSL certificates from 30 to 2000 U$ a year. Companies like Verisign, Thawte and Comodo being the more known ones. I cant give a recommendation nor judge the individual companies.
Find a list of providers here http://www.dmoz.org/Computers/Security/Public_Key_Infrastructure/PKIX/Tools_and_Services/Third_Party_Certificate_Authorities
- We (as in ‘user’) use security in the web on a daily base (you do online banking, right ?), but trying to understand and appreciate the underlying protocols and technologies throws a steep learning curve at us ! If you want to get started a few helpful links (in case you want to have some clue while talking to a customer):
- I recommend doing this tutorial with a test setup, not a productive environment.
- The tutorial shall help you get running, I do not attempt to explain all the details, you can refer to the links above and dive into any level of details you wish to. There are dozens of options, parameters and settings, this tutorial only attempts to make it running. From there you can experiment with settings, different certificates, etc.