Tomcat/Spring SSL configuration_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-03-06 07:46 出处：网络

I\'m trying to configure my Spring application to use an SSL certificate I purchased from a CA. I followed the directions for the Tomcat 6.0 configuration and have imported the key into my Tomcat keys

I'm trying to configure my Spring application to use an SSL certificate I purchased from a CA. I followed the directions for the Tomcat 6.0 configuration and have imported the key into my Tomcat keystore and uncommented the SSL connector in the server.xml. When I start Tomcat, I see the connector start on port 8443 in the Tomcat logs, but when I go to https://example.com:8443 or http: //example.com:8443 or https: //example.com (without the spaces - I don't have the reputation to post links), it times out. What other configuration do I need to do to enable SSL for my Spring application. Do I have to change the application configuration?

I'd also like to only have some URLs over SSL (login, edit profile, etc.). How can I allow this in the Spring configuration? If I have to have all URLs acc开发者_如何学运维essible over SSL, that would be ok, but not desirable. I haven't found any tutorials that are Spring specific.

What you'll need to do is to edit your server.xml file to enable ssl. Here's Tomcat's guide, please check it out:

http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

In order to programmatically know if a request has arrived through port 80 or 443, you need to inspect the value returned by request.isSecure().

To secure URLs altogether, I'd recommend using a Filter.

I don't remember how all of this is handled by Spring, but I don't think you'll have any problems to obtain the request object.

Hope that helps.

After you've configured Tomcat as per the document cited by @mschonaker, he simplest thing is to define the action in the j_security_check and edit profile forms, etc, specify the https: protocol, e.g. in a Facelet, https://#{request.serverName}:8443#{request.contextPath}/j_security_check. Then when the user hits the login button, the form POSTs via HTTPS, so they are secure.

This leaves you in HTTPS for the rest of the session: to get back to HTTP but still stay in the same session, just provide a link to a fully-specified HTTP url, e.g. in a Facelet, http://#{request.serverName}:8443#{request.contextPath}/some link.

If you have other pages you want secured when read, define appropriate security-constraint, user-data-constraint, and transport-guarantee CONFIDENTIAL elements for them in web.xml.

about the second point

I'd also like to only have some URLs over SSL (login, edit profile, etc.). ???

you could determine it by modify configration in web.xml

  <security-constraint>
    <web-resource-collection>
        <web-resource-name>securedapp</web-resource-name>
       <!-- <url-pattern>/*</url-pattern> -->  <!--all pages-->
        <url-pattern>/yourapp/login</url-pattern>
        <url-pattern>/yourapp/edit</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

hope that help you