Securing JSON-RPC connections¶
From Chrome M47, requests to getUserMedia are only allowed from secure origins (HTTPS or HTTP from localhost). Since Kurento relies heavily on the JSON-RPC library for the signaling part of applications, it is required that the JSON-RPC server offers a secure websocket connection (WSS), or the client will receive a mixed content error, as insecure WS connections may not be initialised from a secure HTTPS connection.
Securing JSON-RPC Servers¶
Enabling secure Websocket connections is fairly easy in Spring. The only requirement is to have a certificate, either self-signed or issued by a certification authority. The certificate must be stored in a keystore, so it can be later used by the :term:JVM. Depending on whether you have acquired a certificate or want to generate your own, you will need to perform different operations
- Certificates issued by certification authorities can be imported with the command:
keytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias"
- A keystore holding a self-signed certificate can be generated with the following command:
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048
The file keystore.jks must be located the project’s root path, and a file named application.properties must exist in
src/main/resources/, with the following content:
server.port: 8443 server.ssl.key-store: keystore.jks server.ssl.key-store-password: yourPassword server.ssl.keyStoreType: JKS server.ssl.keyAlias: yourKeyAlias
You can also specify the location of the properties file. Just issue the flag
-Dspring.config.location=<path-to-properties> when launching the Spring-Boot based app. In order to change the location of the keystore.jks file, it is enough to change the key
server.ssl.key-store. The complete official documentation form the Spring project can be found here
Connecting JSON-RPC Clients to secure servers¶
JSON-RPC clients can connect to servers exposing a seure connection. By default, the Websocket library used will try to validate the
certificate used by the server. In case of self-signed certificates, the client must be instructed to prevent skip this validation
step. This can be acchieved by creating a
SslContextFactory, and using the factory in the client.
SslContextFactory contextFactory = new SslContextFactory(); contextFactory.setValidateCerts(false); JsonRpcClientWebSocket client = new JsonRpcClientWebSocket(uri, contextFactory);