progress on fronting glassfish with apache #1096 #2657

Author: pdurbin

conf/httpd/conf.d/dataverse.conf

@@ -0,0 +1,19 @@
+ProxyPass / ajp://localhost:8009/
+
+# From https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
+
+RewriteEngine On
+# This will enable the Rewrite capabilities
+
+RewriteCond %{HTTPS} !=on
+# This checks to make sure the connection is not already HTTPS
+
+#RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
+RewriteRule ^/dvn/api/data-deposit/?(.*) https://%{SERVER_NAME}/dvn/api/data-deposit/$1 [R,L]
+# This rule will redirect users from their original location, to the same location but using HTTPS.
+# i.e.  http://www.example.com/foo/ to https://www.example.com/foo/
+# The leading slash is made optional so that this will work either in httpd.conf
+# or .htaccess context
+
+# [#GLASSFISH-20694] Glassfish 4.0 and jk Unable to populate SSL attributes - Java.net JIRA - https://java.net/jira/browse/GLASSFISH-20694
+#SSLOptions +StdEnvVars +ExportCertData

scripts/api/data-deposit/pipeline

@@ -0,0 +1,11 @@
+#!/usr/bin/env ruby
+require "rexml/document"
+include REXML
+service_document = Document.new `scripts/api/data-deposit/service-document`
+collection = XPath.first(service_document, "//collection/@href")
+puts collection
+
+puts "Getting first title from #{collection}"
+feed_of_studies = Document.new `scripts/api/data-deposit/show-collection #{collection}`
+title = XPath.first(feed_of_studies, "//title")
+puts title

scripts/api/data-deposit/service-document

@@ -1,8 +1,12 @@
 #!/bin/bash
+USERNAME=pete
+PASSWORD=$USERNAME
 if [ -z "$1" ]; then
-  USERNAME=pete
+  HOSTNAME=localhost:8181
 else
-  USERNAME=$1
+  HOSTNAME=$1
 fi
-PASSWORD=$USERNAME
-curl --insecure -s https://$USERNAME:$PASSWORD@localhost:8181/dvn/api/data-deposit/v1/swordv2/service-document | xmllint -format -
+URL=https://$HOSTNAME/dvn/api/data-deposit/v1/swordv2/service-document
+echo Retrieving service document from $URL >&2
+curl --insecure -u $USERNAME:$PASSWORD $URL \
+| xmllint -format -

scripts/api/data-deposit/show-collection

@@ -0,0 +1,10 @@
+#!/bin/bash
+USERNAME=pete
+PASSWORD=pete
+if [ -z "$1" ]; then
+  echo "Please provide a URL"
+else
+  URL=$1
+fi
+curl --insecure -s -u $USERNAME:$PASSWORD $URL
+#| xmllint -format -

scripts/installer/glassfish-setup.sh

@@ -231,6 +231,9 @@ fi
 
 ./asadmin $ASADMIN_OPTS create-javamail-resource --mailhost "$SMTP_SERVER" --mailuser "dataversenotify" --fromaddress "do-not-reply@${HOST_ADDRESS}" mail/notifyMailSession
 
+# so we can front with apache httpd ( ProxyPass / ajp://localhost:8009/ )
+./asadmin $ASADMIN_OPTS create-network-listener --protocol http-listener-1 --listenerport 8009 --jkenabled true jk-connector
+
 ###
 # Restart
 echo Updates done. Restarting...

scripts/setup/asadmin-setup.sh

@@ -101,7 +101,7 @@ if [ $SUDO_USER == "vagrant" ]
   wget http://repos.fedorapeople.org/repos/dchen/apache-maven/epel-apache-maven.repo
   cd
   echo "Installing dependencies via yum"
-  yum install -y -q java-1.7.0-openjdk-devel postgresql-server apache-maven
+  yum install -y -q java-1.7.0-openjdk-devel postgresql-server apache-maven httpd mod_ssl
   rpm -q postgresql-server
   echo "Starting PostgreSQL"
   chkconfig postgresql on

src/main/java/edu/harvard/iq/dataverse/api/datadeposit/UrlManager.java

@@ -28,8 +28,32 @@ void processUrl(String url) throws SwordError {
         } catch (URISyntaxException ex) {
             throw new SwordError(UriRegistry.ERROR_BAD_REQUEST, "Invalid URL syntax: " + url);
         }
+        /**
+         * @todo: figure out another way to check for http. We used to use
+         * javaNetUri.getScheme() but now that we are using "ProxyPass /
+         * ajp://localhost:8009/" in Apache it's always http rather than https.
+         *
+         * http://serverfault.com/questions/6128/how-do-i-force-apache-to-use-https-in-conjunction-with-ajp
+         * http://stackoverflow.com/questions/1685563/apache-webserver-jboss-ajp-connectivity-with-https
+         * http://stackoverflow.com/questions/12460422/how-do-ensure-that-apache-ajp-to-tomcat-connection-is-secure-encrypted
+         */
         if (!"https".equals(javaNetUri.getScheme())) {
-            throw new SwordError(UriRegistry.ERROR_BAD_REQUEST, "https is required but protocol was " + javaNetUri.getScheme());
+            /**
+             * @todo figure out how to prevent this stackstrace from showing up
+             * in Glassfish logs:
+             *
+             * Unable to populate SSL attributes
+             * java.lang.IllegalStateException: SSLEngine is null at
+             * org.glassfish.grizzly.ssl.SSLSupportImpl
+             *
+             * SSLOptions +StdEnvVars +ExportCertData ?
+             *
+             * [#GLASSFISH-20694] Glassfish 4.0 and jk Unable to populate SSL
+             * attributes - Java.net JIRA -
+             * https://java.net/jira/browse/GLASSFISH-20694
+             */
+            logger.info("https is required but protocol was " + javaNetUri.getScheme());
+//            throw new SwordError(UriRegistry.ERROR_BAD_REQUEST, "https is required but protocol was " + javaNetUri.getScheme());
         }
         this.port = javaNetUri.getPort();
         String[] urlPartsArray = javaNetUri.getPath().split("/");