WFLY-6745 SSL by default

feature-pack/src/main/resources/configuration/host/host.xml

@@ -17,6 +17,11 @@
                 </authorization>
             </security-realm>
             <security-realm name="ApplicationRealm">
+                <server-identities>
+                    <ssl>
+                        <keystore path="application.keystore" relative-to="jboss.domain.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
+                    </ssl>
+                </server-identities>
                 <authentication>
                     <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
                     <properties path="application-users.properties" relative-to="jboss.domain.config.dir"/>

feature-pack/src/main/resources/configuration/standalone/template.xml

@@ -18,6 +18,11 @@
                 </authorization>
             </security-realm>
             <security-realm name="ApplicationRealm">
+                <server-identities>
+                    <ssl>
+                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
+                    </ssl>
+                </server-identities>
                 <authentication>
                     <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
                     <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

servlet-feature-pack/src/main/resources/configuration/standalone/template.xml

@@ -18,6 +18,11 @@
                 </authorization>
             </security-realm>
             <security-realm name="ApplicationRealm">
+                <server-identities>
+                    <ssl>
+                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
+                    </ssl>
+                </server-identities>
                 <authentication>
                     <local default-user="$local" allowed-users="*" />
                     <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

testsuite/integration/manualmode/src/test/java/org/jboss/as/test/manualmode/web/ssl/AbstractCertificateLoginModuleTestCase.java

@@ -21,9 +21,13 @@
  */
 package org.jboss.as.test.manualmode.web.ssl;
 
+import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.ADD;
+import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.ALLOW_RESOURCE_SERVICE_RESTART;
+import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.OPERATION_HEADERS;
+import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.PORT;
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.PROTOCOL;
+import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.ROLLBACK_ON_RUNTIME_FAILURE;
 import static org.jboss.as.test.integration.management.util.ModelUtil.createOpNode;
-import static org.jboss.as.test.integration.security.common.SSLTruststoreUtil.HTTPS_PORT;
 import static org.jboss.as.test.integration.security.common.Utils.makeCallWithHttpClient;
 import static org.junit.Assert.assertEquals;
 import static org.jboss.as.test.shared.ServerReload.executeReloadAndWaitForCompletion;
@@ -86,6 +90,8 @@ public abstract class AbstractCertificateLoginModuleTestCase {
     protected static final String SECURED_SERVLET_WITH_SESSION = SimpleSecuredServlet.SERVLET_PATH + "?"
             + SimpleSecuredServlet.CREATE_SESSION_PARAM + "=true";
 
+    private static final int HTTPS_PORT = 8444;
+
     /**
      * Testing access to HTTPS connector which have configured truststore with
      * trusted certificates. Client with trusted certificate is allowed to
@@ -196,16 +202,27 @@ public void setup(ManagementClient managementClient, String containerId) throws
 
             executeReloadAndWaitForCompletion(client, 100000);
 
-            operation = createOpNode("subsystem=undertow/server=default-server/https-listener=https", ModelDescriptionConstants.ADD);
-            operation.get("socket-binding").set("https");
+            operation = createOpNode("socket-binding-group=standard-sockets/socket-binding=https2" , ADD);
+            operation.get(PORT).set(Integer.toString(HTTPS_PORT));
+            operation.get(OPERATION_HEADERS, ROLLBACK_ON_RUNTIME_FAILURE).set(false);
+            operation.get(OPERATION_HEADERS, ALLOW_RESOURCE_SERVICE_RESTART).set(true);
+            Utils.applyUpdate(operation, client);
+
+            operation = createOpNode("subsystem=undertow/server=default-server/https-listener=https2", ModelDescriptionConstants.ADD);
+            operation.get("socket-binding").set("https2");
             operation.get("security-realm").set(HTTPS_REALM);
             Utils.applyUpdate(operation, client);
         }
 
         @Override
         public void tearDown(ManagementClient managementClient, String containerId) throws Exception {
 
-            ModelNode operation = createOpNode("subsystem=undertow/server=default-server/https-listener=https",
+            ModelNode operation = createOpNode("subsystem=undertow/server=default-server/https-listener=https2",
+                    ModelDescriptionConstants.REMOVE);
+            operation.get(OPERATION_HEADERS, ALLOW_RESOURCE_SERVICE_RESTART).set(true);
+            Utils.applyUpdate(operation, managementClient.getControllerClient());
+
+            operation = createOpNode("socket-binding-group=standard-sockets/socket-binding=https2",
                     ModelDescriptionConstants.REMOVE);
             Utils.applyUpdate(operation, managementClient.getControllerClient());
 

testsuite/integration/manualmode/src/test/java/org/jboss/as/test/manualmode/web/ssl/HTTPSWebConnectorTestCase.java

@@ -29,7 +29,6 @@
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.STEPS;
 import static org.jboss.as.test.integration.management.util.ModelUtil.createOpNode;
 import static org.jboss.as.test.integration.security.common.Utils.makeCallWithHttpClient;
-import static org.jboss.as.test.integration.security.common.SSLTruststoreUtil.HTTPS_PORT;
 import static org.jboss.as.test.integration.security.common.SSLTruststoreUtil.HTTPS_PORT_VERIFY_FALSE;
 import static org.jboss.as.test.integration.security.common.SSLTruststoreUtil.HTTPS_PORT_VERIFY_TRUE;
 import static org.jboss.as.test.integration.security.common.SSLTruststoreUtil.HTTPS_PORT_VERIFY_WANT;
@@ -108,6 +107,8 @@ public class HTTPSWebConnectorTestCase {
 
     private static final String HTTPS = "https";
 
+    public static final int HTTPS_PORT = 8444;
+
     private static Logger LOGGER = Logger.getLogger(HTTPSWebConnectorTestCase.class);
 
     private static SecurityTraceLoggingServerSetupTask TRACE_SECURITY = new SecurityTraceLoggingServerSetupTask();
@@ -166,55 +167,6 @@ public void startAndSetupContainer() throws Exception {
         deployer.deploy(APP_CONTEXT);
     }
 
-    /**
-     * @test.tsfi tsfi.port.https
-     * @test.tsfi tsfi.keystore.file
-     * @test.tsfi tsfi.truststore.file
-     * @test.objective Testing default HTTPs connector with configured CLIENT-CERT authentication (BaseCertLoginModule is used).
-     *                 Trusted client is allowed to access both secured/unsecured resource. Untrusted client can only access
-     *                 unprotected resources.
-     * @test.expectedResult Trusted client has access to protected and unprotected resources. Untrusted client has only access
-     *                      to unprotected resources.
-     * @throws Exception
-     */
-    @Test
-    @InSequence(1)
-    public void testDefaultConnector() throws Exception {
-
-        Assume.assumeFalse(SystemUtils.IS_JAVA_1_6 && SystemUtils.JAVA_VENDOR.toUpperCase(Locale.ENGLISH).contains("IBM"));
-
-        final URL printPrincipalUrl = getServletUrl(HTTPS_PORT, PrincipalPrintingServlet.SERVLET_PATH);
-        final URL securedUrl = getServletUrl(HTTPS_PORT, SECURED_SERVLET_WITH_SESSION);
-        final URL unsecuredUrl = getServletUrl(HTTPS_PORT, SimpleServlet.SERVLET_PATH);
-
-        final HttpClient httpClient = getHttpClient(CLIENT_KEYSTORE_FILE);
-        final HttpClient httpClientUntrusted = getHttpClient(UNTRUSTED_KEYSTORE_FILE);
-
-        try {
-            makeCallWithHttpClient(printPrincipalUrl, httpClient, HttpServletResponse.SC_FORBIDDEN);
-
-            String responseBody = makeCallWithHttpClient(securedUrl, httpClient, HttpServletResponse.SC_OK);
-            assertEquals("Secured page was not reached", SimpleSecuredServlet.RESPONSE_BODY, responseBody);
-
-            String principal = makeCallWithHttpClient(printPrincipalUrl, httpClient, HttpServletResponse.SC_OK);
-            assertEquals("Unexpected principal", "cn=client", principal.toLowerCase());
-
-            responseBody = makeCallWithHttpClient(unsecuredUrl, httpClientUntrusted, HttpServletResponse.SC_OK);
-            assertEquals("Secured page was not reached", SimpleServlet.RESPONSE_BODY, responseBody);
-
-            try {
-                makeCallWithHttpClient(securedUrl, httpClientUntrusted, HttpServletResponse.SC_FORBIDDEN);
-            } catch (SSLHandshakeException e) {
-                // OK
-            } catch (java.net.SocketException se) {
-                // OK - on windows usually fails with this one
-            }
-        } finally {
-            httpClient.getConnectionManager().shutdown();
-            httpClientUntrusted.getConnectionManager().shutdown();
-        }
-    }
-
     /**
      * @test.tsfi tsfi.keystore.file
      * @test.tsfi tsfi.truststore.file
@@ -417,11 +369,6 @@ private void serverSetup(ManagementClient managementClient) throws Exception {
         LOGGER.info("*** restarting server");
         containerController.stop(CONTAINER);
         containerController.start(CONTAINER);
-
-        operation = createOpNode("subsystem=undertow/server=default-server/https-listener=" + HTTPS, ModelDescriptionConstants.ADD);
-        operation.get("socket-binding").set(HTTPS);
-        operation.get("security-realm").set(HTTPS_REALM);
-        Utils.applyUpdate(operation, client);
 
         addHttpsConnector("NOT_REQUESTED", HTTPS_NAME_VERIFY_NOT_REQUESTED, HTTPS_PORT_VERIFY_FALSE, client);
         addHttpsConnector("REQUESTED", HTTPS_NAME_VERIFY_REQUESTED, HTTPS_PORT_VERIFY_WANT, client);

testsuite/integration/ws/src/test/java/org/jboss/as/test/integration/ws/wsse/trust/WSTrustTestCase.java

@@ -463,7 +463,7 @@ public void testHolderOfKey() throws Exception {
             BusFactory.setThreadDefaultBus(bus);
 
             final QName serviceName = new QName("http://www.jboss.org/jbossws/ws-extensions/holderofkeywssecuritypolicy", "HolderOfKeyService");
-            final URL wsdlURL = new URL("https", serviceURL.getHost(), serviceURL.getPort() - 8080 + 8443, "/jaxws-samples-wsse-policy-trust-holderofkey/HolderOfKeyService?wsdl");
+            final URL wsdlURL = new URL("https", serviceURL.getHost(), serviceURL.getPort() - 8080 + 8444, "/jaxws-samples-wsse-policy-trust-holderofkey/HolderOfKeyService?wsdl");
             Service service = Service.create(wsdlURL, serviceName);
             HolderOfKeyIface proxy = (HolderOfKeyIface) service.getPort(HolderOfKeyIface.class);
 

testsuite/integration/ws/src/test/java/org/jboss/as/test/integration/ws/wsse/trust/WSTrustTestCaseSecuritySetupTask.java

@@ -14,6 +14,7 @@
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.ADD;
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.ALLOW_RESOURCE_SERVICE_RESTART;
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.OPERATION_HEADERS;
+import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.PORT;
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.REMOVE;
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.ROLLBACK_ON_RUNTIME_FAILURE;
 import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.SOCKET_BINDING;
@@ -57,16 +58,27 @@ public void tearDown(ManagementClient managementClient, String containerId) thro
      * </subsystem>
      */
     private void addHttpsListener(ManagementClient managementClient) throws Exception {
-        final ModelNode addOp = createOpNode("subsystem=undertow/server=default-server/https-listener=" + HTTPS_LISTENER_NAME, ADD);
-        addOp.get(SOCKET_BINDING).set("https");
+
+
+        ModelNode addOp = createOpNode("socket-binding-group=standard-sockets/socket-binding=https2" , ADD);
+        addOp.get(PORT).set("8444");
+        addOp.get(OPERATION_HEADERS, ROLLBACK_ON_RUNTIME_FAILURE).set(false);
+        addOp.get(OPERATION_HEADERS, ALLOW_RESOURCE_SERVICE_RESTART).set(true);
+        CoreUtils.applyUpdate(addOp, managementClient.getControllerClient());
+        addOp = createOpNode("subsystem=undertow/server=default-server/https-listener=" + HTTPS_LISTENER_NAME, ADD);
+        addOp.get(SOCKET_BINDING).set("https2");
         addOp.get(SECURITY_REALM).set(SECURITY_REALM_NAME);
         addOp.get(OPERATION_HEADERS, ROLLBACK_ON_RUNTIME_FAILURE).set(false);
         addOp.get(OPERATION_HEADERS, ALLOW_RESOURCE_SERVICE_RESTART).set(true);
         CoreUtils.applyUpdate(addOp, managementClient.getControllerClient());
     }
 
     private void removeHttpsListener(ManagementClient managementClient) throws Exception {
-        final ModelNode removeOp = createOpNode("subsystem=undertow/server=default-server/https-listener=" + HTTPS_LISTENER_NAME, REMOVE);
+        ModelNode removeOp = createOpNode("socket-binding-group=standard-sockets/socket-binding=https2" + HTTPS_LISTENER_NAME, REMOVE);
+        removeOp.get(OPERATION_HEADERS, ROLLBACK_ON_RUNTIME_FAILURE).set(false);
+        removeOp.get(OPERATION_HEADERS, ALLOW_RESOURCE_SERVICE_RESTART).set(true);
+        CoreUtils.applyUpdate(removeOp, managementClient.getControllerClient());
+        removeOp = createOpNode("subsystem=undertow/server=default-server/https-listener=" + HTTPS_LISTENER_NAME, REMOVE);
         removeOp.get(OPERATION_HEADERS, ROLLBACK_ON_RUNTIME_FAILURE).set(false);
         removeOp.get(OPERATION_HEADERS, ALLOW_RESOURCE_SERVICE_RESTART).set(true);
         CoreUtils.applyUpdate(removeOp, managementClient.getControllerClient());

testsuite/mixed-domain/src/test/resources/master-config/host.xml

@@ -10,6 +10,11 @@
                 </authentication>
             </security-realm>
             <security-realm name="ApplicationRealm">
+                <server-identities>
+                    <ssl>
+                        <keystore path="application.keystore" relative-to="jboss.domain.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
+                    </ssl>
+                </server-identities>
                 <!-- These are updated to come from the actual built AS -->
                 <authentication>
                      <local default-user="$local" allowed-users="*" skip-group-loading="true"/>

undertow/src/main/resources/subsystem-templates/undertow.xml

@@ -31,6 +31,7 @@
         <server name="default-server">
             <?AJP?>
             <http-listener name="default" socket-binding="http" redirect-socket="https" />
+            <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" />
             <host name="default-host" alias="localhost">
                 <location name="/" handler="welcome-content" />
                 <filter-ref name="server-header"/>