强制使用https访问

环境：

tomcat8

jsp

准备：

1.产生密匙

参数中，-alias如果不用tomcat ，server.xml中需要另外加字段指明

秘钥库密码如何和秘钥密码不同和话，下面配置的时候需要分别加一下，网上的例子好多都是密匙库和秘钥密码相同

keytool -genkeypair -keyalg "RSA" -keystore "tomcat_keystore" -alias "tomcat"

2.在server.xml里配置密匙信息和https connector

只要把8443那个connector 解除注释就可以了，然后加上

keystoreFile="d:/key/tomcat.keystore" keystorePass="tomcat123"

那个protocal好像有几种选择，完整版

	<Connector port="443" protocol="HTTP/1.1"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
               keystoreFile="d:/key/tomcat.keystore" keystorePass="tomcat" />

下面是具体可以配置的选项，copy自：http://127.0.0.1/docs/config/http.html#SSL_Support（tomcat自带的文档）

The BIO, NIO and NIO2 connectors use the following attributes to configure SSL:

Attribute	Description
algorithm	The certificate encoding algorithm to be used. This defaults to KeyManagerFactory.getDefaultAlgorithm() which returns SunX509 for Sun JVMs. IBM JVMs return IbmX509. For other vendors, consult the JVM documentation for the default value.
allowUnsafeLegacyRenegotiation	Is unsafe legacy TLS renegotiation allowed which is likely to expose users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS protocol that allows an attacker to inject arbitrary data into the user's request. If not specified, a default of false is used. This attribute only has an effect if the JVM does not support RFC 5746 as indicated by the presence of the pseudo-ciphersuite TLS_EMPTY_RENEGOTIATION_INFO_SCSV. This is available JRE/JDK 6 update 22 onwards. Where RFC 5746 is supported the renegotiation - including support for unsafe legacy renegotiation - is controlled by the JVM configuration.
ciphers	If specified and using ',' as a separator, only the ciphers that are listed and supported by the SSL implementation will be used. The ciphers are specified using the JSSE cipher naming convention. The special value of ALL will enable all supported ciphers. This will include many that are not secure. ALL is intended for testing purposes only. The list can also use ':' as a separator, in that case it will use the OpenSSL syntax (see OpenSSL documentation for the list of ciphers supported and the syntax). If not specified, a default (using the OpenSSL notation) of HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5 will be used. Note that Java does treat the order in which ciphers are defined as an order of preference.
clientAuth	Set to true if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to want if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. A false value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.
clientCertProvider	When client certificate information is presented in a form other than instances of java.security.cert.X509Certificate it needs to be converted before it can be used and this property controls which JSSE provider is used to perform the conversion. For example it is used with the AJP connectors, the HTTP APR connector and with the org.apache.catalina.valves.SSLValve. If not specified, the default provider will be used.
crlFile	The certificate revocation list to be used to verify client certificates. If not defined, client certificates will not be checked against a certificate revocation list.
keyAlias	The alias used to for the server certificate in the keystore. If not specified the first key read in the keystore will be used.
keyPass	The password used to access the server certificate from the specified keystore file. The default value is "changeit".
keystoreFile	The pathname of the keystore file where you have stored the server certificate to be loaded. By default, the pathname is the file ".keystore" in the operating system home directory of the user that is running Tomcat. If your keystoreType doesn't need a file use "" (empty string) for this parameter.
keystorePass	The password used to access the specified keystore file. The default value is the value of the keyPass attribute.
keystoreProvider	The name of the keystore provider to be used for the server certificate. If not specified, the list of registered providers is traversed in preference order and the first provider that supports the keystoreType is used.
keystoreType	The type of keystore file to be used for the server certificate. If not specified, the default value is "JKS".
sessionCacheSize	The number of SSL sessions to maintain in the session cache. Use 0 to specify an unlimited cache size. If not specified, a default of 0 is used.
sessionTimeout	The time, in seconds, after the creation of an SSL session that it will timeout. Use 0 to specify an unlimited timeout. If not specified, a default of 86400 (24 hours) is used.
sslEnabledProtocols	The comma separated list of SSL protocols to support for HTTPS connections. If specified, only the protocols that are listed and supported by the SSL implementation will be enabled. If not specified, the JVM default (excluding SSLv2 and SSLv3 if the JVM enables either or both of them by default) is used. The permitted values may be obtained from the JVM documentation for the allowed values for SSLSocket.setEnabledProtocols() e.g. Oracle Java 7. Note: There is overlap between this attribute and sslProtocol.
sslImplementationName	The class name of the SSL implementation to use. If not specified, the default of org.apache.tomcat.util.net.jsse.JSSEImplementation will be used which wraps JVM's default JSSE provider. Note that the JVM can be configured to use a different JSSE provider as the default.
sslProtocol	The the SSL protocol(s) to use (a single value may enable multiple protocols - see the JVM documentation for details). If not specified, the default is TLS. The permitted values may be obtained from the JVM documentation for the allowed values for algorithm when creating an SSLContext instance e.g. Oracle Java 7. Note: There is overlap between this attribute and sslEnabledProtocols.
trustManagerClassName	The name of a custom trust manager class to use to validate client certificates. The class must have a zero argument constructor and must also implement javax.net.ssl.X509TrustManager. If this attribute is set, the trust store attributes may be ignored.
trustMaxCertLength	The maximum number of intermediate certificates that will be allowed when validating client certificates. If not specified, the default value of 5 will be used.
truststoreAlgorithm	The algorithm to use for truststore. If not specified, the default value returned by javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm() is used.
truststoreFile	The trust store file to use to validate client certificates. The default is the value of the javax.net.ssl.trustStore system property. If neither this attribute nor the default system property is set, no trust store will be configured.
truststorePass	The password to access the trust store. The default is the value of the javax.net.ssl.trustStorePassword system property. If that property is null, no trust store password will be configured. If an invalid trust store password is specified, a warning will be logged and an attempt will be made to access the trust store without a password which will skip validation of the trust store contents.
truststoreProvider	The name of the truststore provider to be used for the server certificate. The default is the value of the javax.net.ssl.trustStoreProvider system property. If that property is null, the value of keystoreProvider is used as the default. If neither this attribute, the default system property nor keystoreProvideris set, the list of registered providers is traversed in preference order and the first provider that supports the truststoreType is used.
truststoreType	The type of key store used for the trust store. The default is the value of the javax.net.ssl.trustStoreType system property. If that property is null, the value of keystoreType is used as the default.

3.确认输入https://127.0.0.1/可以正常访问（浏览器会有一个警告，点击继续访问就可以了）

另外，官方给的文档地址是：http://127.0.0.1/docs/ssl-howto.html

方案：

方法一：在相应的应用的web.xml中加入

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

具体做法可能有不同，下面是采用FORM权限验证时的配置

	<security-constraint>
		<display-name>zzz</display-name>
		<web-resource-collection>
			<web-resource-name>xxx</web-resource-name>
			<!-- Define the context-relative URL(s) to be protected -->
			<url-pattern>/*</url-pattern>
			<!-- If you list http methods, only those methods are protected so -->
			<!-- the constraint below ensures all other methods are denied     -->
			<http-method>DELETE</http-method>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
			<http-method>PUT</http-method> 
		</web-resource-collection>
		<auth-constraint>
			<!-- Anyone with one of the listed roles may access this area -->
			<role-name>gm</role-name>
		</auth-constraint>
		<user-data-constraint>
			<transport-guarantee>CONFIDENTIAL</transport-guarantee>
		</user-data-constraint>
    </security-constraint>

    <!-- Default login configuration uses form-based authentication -->
    <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>yyy</realm-name>
      <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/error.jsp</form-error-page>
      </form-login-config>
    </login-config>
    <security-role>
      <role-name>gm</role-name>
    </security-role>
  

方法二：在jsp页面中加入重定向，定向到https页面

<%
	if (!"https".equalsIgnoreCase(request.getScheme()))
	{
		String url=request.getRequestURL().toString();
		url=url.replace("http://","https://");		
		response.sendRedirect(url);
	}
%>

参考：

1.http://biancheng.dnbcw.info/java/337001.html

2.http://wenku.baidu.com/link?url=-yRtvPa5FsBnpgZj8btd4rBodqAHhknqIjLA2lloOunHvsXxyDkYADtaN1bHsVsfiuoQJCECfUEPUhr35mpPiz_9zptqLmp6USRl62HyuqG

3.