1.tomcat安全配置之证书密码加密存储
http://www.2cto.com/Article/201308/239948.html
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="./conf/keystore" keystorePass="jackie.123"
clientAuth="false" sslProtocol="TLS" />
<Connector port="8443" protocol="demo.MyHttp11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="./conf/keystore" keystorePass="ADFADLJYNGHYVM=="
clientAuth="false" sslProtocol="TLS" />
package demo;
import org.apache.coyote.http11.Http11Protocol;
public class MyHttp11Protocol extends Http11Protocol {
@Override
public void init() throws Exception {
final String password = getKeypass();
final String realpassword = decipher(password);
setAttribute("keypass", realpassword);
super.init();
}
private String decipher(final String password) {
// 这里执行密码的解码操作;
}
}
我打开Tomcat7.0.42的源代码,发现Http11Protocol里面只有这种方法,看来init是过时了?
不要着急,继续看继承树上面的类AbstractProtocol,找到了
/*
* NOTE: There is no maintenance of state or checking for valid transitions
* within this class. It is expected that the connector will maintain state
* and prevent invalid state transitions.
*/
@Override
public void init() throws Exception {
if (getLog().isInfoEnabled())
getLog().info(sm.getString("abstractProtocolHandler.init",
getName()));
if (oname == null) {
// Component not pre-registered so register it
oname = createObjectName();
if (oname != null) {
Registry.getRegistry(null, null).registerComponent(this, oname,
null);
}
}
if (this.domain != null) {
try {
tpOname = new ObjectName(domain + ":" +
"type=ThreadPool,name=" + getName());
Registry.getRegistry(null, null).registerComponent(endpoint,
tpOname, null);
} catch (Exception e) {
getLog().error(sm.getString(
"abstractProtocolHandler.mbeanRegistrationFailed",
tpOname, getName()), e);
}
rgOname=new ObjectName(domain +
":type=GlobalRequestProcessor,name=" + getName());
Registry.getRegistry(null, null).registerComponent(
getHandler().getGlobal(), rgOname, null );
}
String endpointName = getName();
endpoint.setName(endpointName.substring(1, endpointName.length()-1));
try {
endpoint.init();
} catch (Exception ex) {
getLog().error(sm.getString("abstractProtocolHandler.initError",
getName()), ex);
throw ex;
}
}
================
2.如何实现admin用户密码非明文保存
可以把host-manager 这个应用deploy掉或者干脆删除了;
我们专注在manager这个app的安全设置上面就可以了
web.xml的设置
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>Tomcat Manager Application</realm-name>
</login-config>
server.xml的设置
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" digest="MD5" />
</Realm>
cd %Catalina_home%
bin\digest.bat -a MD5 <user-password>
user-password:9afdaff99sdfasdgfd3467a54b1
就把这个得到的一长串16进制的数字替换tomcat-user.xml中
原先的明文就成功成为密文了。