SSL support

[Brian Nesbitt]

Hi RestExpressians, (sad I didn't come up with that first!)

Was a community contributor to the Play framework 1.X but with v2 going Scala and just not needing the full heavier framework I am on the lookout again.  RestExpress seems good so far... have just done a few small things to get started (new to mvn as well) but in a few hours I was able to look at / debug / step through most of the code base which is always a good sign!

The other "framework" I am looking at, which also glues together best of bread libraries, is Dropwizard from the yammer folks.

Anyway, the first thing I noticed is that RestExpress doesn't support SSL yet.  Any plans for that?  Quick look around and does Netty have support for it.

Thanks,

Brian.

[Todd Fredrich]

Hi Brian,

Welcome to the forum as a RestExpressian!  And thanks for your question.

The short answer is that Netty does, in fact, support SSL via its SslHandler and SSLEngine classes.  And since RestExpress simply wraps a Netty pipeline, adding said support wouldn't appear difficult, at least at first blush.

That being said, since RESTful services rely on the HTTP stack and the layered architecture, we've never actually needed SSL support in a back-end service, since SSL offloading occurs at higher levels in the stack: specifically, NGinX, Apache, HAProxy or hardware SSL offloading in a load balancer, etc.  For example, Amazon Web Services elastic load balancers can handle your certificate and perform SSL handling before forwarding the request to your services.

BTW, Dropwizard looks like a good framework, but I haven't used it.  It uses Jetty as its web server, whereas RestExpress utilizes Netty.  I expect Netty to be at least a little bit lighter weight--easier to manage and deploy, and possibly more performant.  Dropwizard, however, has the potential to be more complete, but wasn't available when I started RestExpress...

Interested in your thoughts.

Thanks,

--Todd "RestExpressian" Fredrich

[Brian Nesbitt]

Agreed that you would normally off load it to nginx.  The situation is that its for a product that would be installed internal to clients and they would want SSL termination at the server.

I did a quick apache bench test with both restexpress and DropWizard on a simple read querystring, create POJO and write json.  However meaningless it at least gives a ballpark.  Over 100k requests of 4 concurrent threads (I have an i7 3770) both had an avg time of 1 ms per request and 99.9% of requests under 3ms.  DropWizard had an avg of 11k requests / sec while restexpress was about 10.5k requests/second.  I guess Jetty is pretty fast as well :-)

As for deployment they actually have a maven build out of the box that uses the shade plugin and creates fat jars for you.  Jetty is run in its embedded mode ... ie. no container issues, no web.xml file.  If you didn't know it was jetty underneath you wouldn't know as its not exposed from their Service and Resource framework.  Once you do a maven deploy you get the fat jar and you run "java -jar project.jar server" and you are fired up on port 80.  Your service actually has the "public static void main()" and configuration is done in a yaml file with the defaults being "good enough".

It is pretty full featured... SSL, static assets, health checks with admin stats + metrics (http://metrics.codahale.com/), tasks, logging, Http Client, hibernate or jndi, db migrations with liquidbase when you look at the (really good) documentation they pretty much have glued all parts you need to create a full site... but their focus is on the REST api portion.  Freemarker / mustache templates were added more recently.  I'll leave reading the rest of the docs to you... I don't need to keep repeating them :-)  haha

Thanks again for your response!

[Todd Fredrich]

Thanks for the follow-up, Brian.

Interesting data points and feedback.  Sounds like DropWizard is a good choice.  I appreciate you taking the time to provide benchmark feedback--which indeed is somewhat surprising to me.  I wonder if swapping Jackson for Gson would make up that difference.  Sounds like some additional research on my part is in order.  Thanks for spending time to do that!

All the best,

--Todd

[Raúl Guerrero Deschamps]

Hi Todd,

I'm just starting to try out NetExpress because it uses Netty, which is a net framework I'm researching and looks quite amazing. Mostly I was looking for a fully non-blocking asynchronous net stack, and version 4.0 seems like enables devs to use NIO.2 (AIO as they call it) which uses kernel threads and the Proactor pattern for asynchronous connection handling, so it's pretty modern, advanced, cool stuff.

I've used dropwizard before, it's really awesome, when passing around the entities to the REST services, uses Guava's zero-copy collections, so it's really optimal when handling entities and when serializing-deserealizing to JSON in the services.

The problem I see with it is that, because it uses Jersey for the REST services, Jersey doesn't support yet asynchronous servlets, so even though dropwizard uses jetty which uses async channels at low level, it runs a servlet engine on top of it, and on top of that it runs Jersey, which is synchronous (and even if jetty supports async servlets like 3.0 or the new 3.1, still Jersey doesn't make use of them), so, if you want to achieve a full asynchronous calls from top to bottom, then you're in for a suprise with it.

The cool thing here is that, if you want to use dropwizard, the new version of Jersey (that is on beta and the release will be part of Glassfish 4) will support fully async servlets and will be async itself, so, I'm sure that by Q3 or Q4 of this year, dropwizard will be able to support asynchronous (non-blocking) REST services.

And that being said, that's what brings me to RestExpress, to find out if it actually makes full use of the asynchronous abilities that Netty gives you, either through using futures or callbacks, but that the actual RestExpress libraries do everything asynchronous inside as well, so to achieve a full async REST framework instead of "semi" like dropwizard does right now.

[Todd Fredrich]

Hi Raul,

First up, welcome to the forum and thanks for your question.

RestExpress, right now, is built on Netty 3.6.2 and utilizes NIO (non-blocking I/O) for the front-end I/O worker threads (which defaults to 2 times the number of cores).  However, while the back-end processing occurs in an executor (using a thread pool), it does not yet support callbacks or fully-asynchronous processing as you desire.  As we've been using it with MongoDB and the MongoDB driver is synchronous, that works OK for us for the time being.  But it causes issues if you want to do service aggregation or call external services to enrich your responses.  At present, RestExpress doesn't support asynchronous controller methods, but it's on the backlog.

Thanks again for your post,

--Todd

[Todd Fredrich]

As of the RestExpress 0.10.3 release, it now supports SSL, thanks to Clark Hobbie.

[Emil Simeonov]

This is really great! I need to quickly add SSL support of my RestExpress-based RESTful backend. Are there any examples on setting it up? I couldn't find such :-(.

[Todd Fredrich]

Hi Emil,

Essentially, you "simply" create a javax.net.SSLContext with your certificate, etc.

Then, in your RestExpress server intialization call setSSLContext(SSLContext).  That's it.

Looks something like this:

import javax.net.ssl.SSLContext;
SSLContext context = SSLContext("TLS");

... 

 

RestExpress server = new RestExpress();
...
server.setSSLContext(context);
...
server.bind();
server.awaitShutdown();

Hope this helps,

--Todd 

[sushant ravale]

This worked for me (Just for quick reference) : 

import java.io.File;

import java.io.FileInputStream;

import java.security.KeyStore;

import javax.net.ssl.KeyManagerFactory;

import javax.net.ssl.SSLContext;

import org.restexpress.RestExpress;

public class SSLExpressRestServer {

public static void main(String[] args) {

RestExpress server = new RestExpress().setPort(443);

// register the controller

server.uri("local", new Controller());

SSLContext sslContext=null;

try {

KeyStore keyStore = KeyStore.getInstance("JKS");

File keyStoreFile = new File("myKeyStoreFile.jks");

if(!keyStoreFile.exists()){

System.err.println("File doesn't exist");

System.exit(1);

}

// this can be read from javax.net.ssl.keyStore property

char[] passwordChars = "password".toCharArray();

keyStore.load(new FileInputStream(keyStoreFile), passwordChars);

KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");

keyManagerFactory.init(keyStore, passwordChars);

sslContext = SSLContext.getInstance("TLS");

sslContext.init(keyManagerFactory.getKeyManagers(), null, null);

} catch (Exception e) {

e.printStackTrace();

System.exit(1);

}

server.setSSLContext(sslContext);

server.bind();

server.awaitShutdown();

}

}

[Todd Fredrich]

Thanks for your contribution!

--Todd