search

helidon-io / helidon

Java libraries for writing microservices
https://helidon.io
Apache License 2.0
3.49k stars 564 forks source link

Helidon Webserver startup issue with TLS and Security layer in Helidon 4 SE version. #8208

Open MohanramGovindarasu opened 8 months ago

MohanramGovindarasu commented 8 months ago

Environment Details

Problem Description

Webservers fails to starts with TLS and Security layer in Helidon 4 SE version, because of mismatch in .jks entry

Steps to reproduce

We are on Helidon 4 SE version, have couple of queries on security/jks config in application.yaml.

  1. How to configure File system path for jks file for webserver with TLS? Let's say I have a jks file called xyz.jks, unless I copy the jks files into /src/main/resources/xyz.jks it doesn't work. For my usecase, I don't want to package the jks files along with the jar. How can I configure a File system path and make it work ?
server:
  port: <port>
  tls:
   enabled: false
   private-key:
    keystore:
      type: "JKS"
      key.alias: "<passkey>"
      passphrase: "<passpwd>"
      resource:
        resource-path: "xyz.jks"
  1. We would like to provide TLS layer as white paper for the customer. If they dont want to enable TLS, we would like to disable it from application.yaml. Making it as Enabled:false works, but it always expects the jks file to be present which is weird . Any thoughts ? 
    tls:
enabled: false

    Webserver start-up Logs:

C:\helidonv4dev\customer-master>java -jar target\partyMgmt.jar 2024.01.05 07:52:46.381 myoracle - Starting... 2024.01.05 07:52:47.109 myoracle - Start completed. 2024.01.05 07:52:47.253 myoracle - Starting... 2024.01.05 07:52:47.258 myoracle - Start completed. 2024.01.05 07:52:47.309 Security is disabled, ignoring provider configuration Exception in thread "main" java.lang.NullPointerException: Resource path does not exist: xyz.jks at java.base/java.util.Objects.requireNonNull(Objects.java:259) at io.helidon.common.configurable.ResourceUtil.toIs(ResourceUtil.java:83) at io.helidon.common.configurable.Resource.create(Resource.java:85) at io.helidon.common.configurable.Resource.create(Resource.java:157) at io.helidon.common.pki.KeystoreKeys$BuilderBase.keystore(KeystoreKeys.java:189) at java.base/java.util.Optional.ifPresent(Optional.java:178) at io.helidon.common.mapper.OptionalValue.ifPresent(OptionalValue.java:188) at io.helidon.common.pki.KeystoreKeys$BuilderBase.config(KeystoreKeys.java:156) at io.helidon.common.pki.KeystoreKeys.create(KeystoreKeys.java:67) at io.helidon.config.ConfigValues.lambda$create$4(ConfigValues.java:168) at io.helidon.config.ConfigValues$GenericConfigValueImpl.asOptional(ConfigValues.java:255) at io.helidon.common.mapper.OptionalValue.ifPresent(OptionalValue.java:188) at io.helidon.common.pki.Keys$BuilderBase.config(Keys.java:153) at io.helidon.common.pki.Keys.create(Keys.java:73) at io.helidon.config.ConfigValues.lambda$create$4(ConfigValues.java:168) at io.helidon.config.ConfigValues$GenericConfigValueImpl.asOptional(ConfigValues.java:255) at io.helidon.common.mapper.OptionalValue.ifPresent(OptionalValue.java:188) at io.helidon.common.tls.TlsConfig$BuilderBase.config(TlsConfig.java:215) at io.helidon.common.tls.TlsConfig.create(TlsConfig.java:77) at io.helidon.config.ConfigValues.lambda$create$4(ConfigValues.java:168) at io.helidon.config.ConfigValues$GenericConfigValueImpl.asOptional(ConfigValues.java:255) at io.helidon.common.mapper.OptionalValue.ifPresent(OptionalValue.java:188) at io.helidon.webserver.ListenerConfig$BuilderBase.config(ListenerConfig.java:253) at io.helidon.webserver.WebServerConfig$BuilderBase.config(WebServerConfig.java:176) at com.oracle.partyMgmt.Main.main(Main.java:90)

  1. Similar to TLS , we would like to white paper Security layer as well.We are using IDCS implementation, though we made "enabled: false" at security layer, when we bring up the webserver(runtime) it errors out at "OidcFeature" line. If we comment that line of code it works. Any suggestions on this ? We dont want customer's to touch the code and package the jar at any cost. Expectation from customer is to configure jks details/security layer from config files like application.yaml and start the webserver .

Main.java:

static void routing(HttpRouting.Builder routing) {
Config config = Config.create();
routing
                .addFeature(OidcFeature.create(config))
}

application.yaml:

security:
  enabled: false
  config.require-encryption: false
  providers:
    - abac: # Adds ABAC Provider - it does not require any configuration
        fail-on-unvalidated: true
        fail-if-none-validated: true
    - oidc:
        identity-uri: "<URI>"
        client-id: "<cliendid>"
        client-secret: "<secret>"
        audience: "<hostname:port>"
        server-type: "idcs"
        redirect: false
        header-use: true

Webserver start-up Logs:

Exception in thread "main" java.lang.NullPointerException: Cannot invoke "io.helidon.security.providers.oidc.common.OidcConfig.tokenCookieHandler()" because "this.oidcConfig" is null at io.helidon.security.providers.oidc.OidcFeature.(OidcFeature.java:161) at io.helidon.security.providers.oidc.OidcFeature$Builder.build(OidcFeature.java:616) at io.helidon.security.providers.oidc.OidcFeature.create(OidcFeature.java:197) at com.oracle.partyMgmt.Main.routing(Main.java:116) at io.helidon.webserver.WebServerConfigSupport$ListenerCustomMethods.routing(WebServerConfigSupport.java:158) at io.helidon.webserver.ListenerConfig$BuilderBase.routing(ListenerConfig.java:228) at com.oracle.partyMgmt.Main.main(Main.java:91)

Thanks, Mohan

Verdent commented 8 months ago
  1. Try using path instead of resource-path
  2. Yes, this will very likely need to be improved
  3. If I understand it correctly, it is the same as with the 2. Meaning that if overall security is set to false, internal parts should not be constructed/validated.