Javalin - TLS 1.3 and HTTP/2
Some of the technical details in the below notes are quite out-of-date at this point. I have an updated walkthrough here: Jetty 11 Secure Connections.
For a long time, I have used Tomcat - and generally found it easy to use, hard to break, and sufficient for my relatively modest needs. Tomcat turns up in lots of different places - it’s embedded in Informatica PowerCenter for its admin console (or used to be, at least). And I’ve had “fun” building Tomcat’s APR connector - and wrestling with dangerously out-of-date versions of OpenSSL, figuring out how to build it all on Linux.
In the past I’ve briefly used WebLogic (back when it was still BEA WebLogic), Apache as a front-end to Glassfish (painful, due toGlassfish Grizzly bugs) together with mod_jk and ajp13 (which were weird to configure).
Later on, with the rise of languages such as Ruby and Python, we were given a gigantic gift basket full of lightweight alternatives - Sinatra, Flask, and many, many others…
There was also an inversion of the relationship between a web application and its web server: Instead of running your application in a web container, you embedded your web server in the application. Jetty is a popular example of an embeddable web server.
I discovered Javalin after looking into Java Spark (also a very nice web framework). Javalin uses Jetty under the covers - and I immediately appreciated Javalin’s simplicity:
Javalin is also for Kotlin developers - not just Java. But I will only be talking about Java, having never used Kotlin.
For my demo web application, I use Javalin with some extra customizations, for the following requirements:
- Support for SSL/TLS (more accurately, for TLS 1.3 - which we should all be using).
- Support for HTTP/2 (also called h2 - not to be confused with the database by the same name).
(I hear HTTP/3 is knocking on the door, also…)
Javalin gives you full access to its embedded Jetty server, so both of the above are possible with some configuration. In my case, all Jetty config is implemented in Java code, not via XML config files.
The end result is a web application which supports HTTP/2…
…and which uses TLS 1.3:
You can see my code for all of this on GitHub. The main class is DemoApp - line 47 (in configureJavalin()) is the entry point into our Jetty customizations:
The Jetty configuration code is all contained in the DemoJetty class.
I owe a great debt of thanks to this example code (one of many Javalin examples available), on which I based my solution.