This is another follow-up to a now out-of-date earlier walkthrough.

The first follow-up is here: Jetty 11 Secure Connections

(So, yes, this is a follow-up to a follow-up.)

In this note I look at how to replace my custom Jetty server configuration with two Javalin plug-ins:

• the community-provided SSL plugin
• a bundled plugin which enables redirection of requests from an insecure http connection to a secure https connection.

SSL Plugin

The SSL plugin has various well-documented options - but here is a simple set-up:

The import:

1

import io.javalin.community.ssl.SSLPlugin;

My ports:

1
2

private static final int INSECURE_PORT = 8081;
private static final int SECURE_PORT = 8443;

The config:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

public static void main(String[] args) {
    Javalin app = Javalin.create(config -> {
        configureJavalin(config);
    }).start();
}

private static void configureJavalin(JavalinConfig config) {
    SSLPlugin sslPlugin = new SSLPlugin(conf -> {
        conf.pemFromPath("cert.pem", "key.pem", "thepassword");
        conf.insecure = true;
        conf.insecurePort = INSECURE_PORT;
        conf.secure = true;
        conf.securePort = SECURE_PORT;
        conf.sniHostCheck = true;
        conf.http2 = true;
    });
    config.plugins.register(sslPlugin);
}

When Javalin starts, you will see log messages similar to the following:

1
2

INFO io.javalin.Javalin - Listening on http://localhost:8081/
INFO io.javalin.Javalin - Listening on https://localhost:8443/

And, prior to that, more detailed Jetty messages - one for the insecure (http) connector, and one for the secure (https) connector:

1
2

Started ServerConnector@490caf5f{HTTP/1.1, (http/1.1, h2c)}{0.0.0.0:8081}
Started ServerConnector@59e505b2{SSL, (ssl, alpn, h2, http/1.1)}{0.0.0.0:8443}

One point to note: That h2c protocol for the insecure connector represents HTTP/2 “cleartext”.

You can control much more than just the attributes shown above - check the Javadoc and tutorial.

Patching an Existing Jetty Server

The SSL plugin supports patching an existing instance of your Jetty server:

1
2
3
4
5
6
7
8

SSLPlugin sslPlugin = new SSLPlugin(conf -> {
    // your config here.
});

Server server = ...; // Your Jetty server.

sslPlugin.patch(server);
config.jetty.server(() -> server);

The Jetty server can be created however you need - similar to the example shown here - but without the logic which creates connectors, since those are now created by the SSL plugin.

You can therefore customize your Jetty server however you wish, manually - but then use the SSL plugin to handle creation of the Jetty connectors.

Important: In this situation, you no longer need to register the SSL plugin:

1
2

// Do NOT do this, when patching a server:
config.plugins.register(sslPlugin);

Acknowledgements - A very big thank you to the creator of the SSL plugin for helping me to understand how to use the SSL plugin.

Traffic Redirection

For insecure-to-secure redirection, there is a separate bundled plugin:

1

config.plugins.enableSslRedirects();

That takes care of routing http traffic to https - but with a couple of caveats:

• no redirection is performed for locahost hosts.
• only the protocol is changed (http to https) - so if you are using non-standard ports (something other than 80 and 443) then those will not be changed.

You can see the source code here.

It’s a straightforward approach. You could write your own version, if needed.

A Note on HSTS

HSTS (HTTP Strict Transport Security) configurations used by your browser may interfere with your attempts to manage http and https connections and reroutes.

One symptom of this is if your browser navigation bar inexplicably insists on changing a valid url such as:

http://localhost:8080/test

…to an invalid one such as:

https://localhost:8080/test

Note the protocol has changed but the port number is still 8080.

There are plenty of articles discussing ways to fix this. Here is one:

Re-Hashed: How to clear HSTS settings in Chrome and Firefox

Or, try a different port number.