环境:
tomcat8
jsp
准备:
1.产生密匙
参数中,-alias如果不用tomcat ,server.xml中需要另外加字段指明
秘钥库密码如何和秘钥密码不同和话,下面配置的时候需要分别加一下,网上的例子好多都是密匙库和秘钥密码相同
keytool -genkeypair -keyalg "RSA" -keystore "tomcat_keystore" -alias "tomcat"
2.在server.xml里配置密匙信息和https connector
只要把8443那个connector 解除注释就可以了,然后加上
keystoreFile="d:/key/tomcat.keystore" keystorePass="tomcat123"
那个protocal好像有几种选择,完整版
<Connector port="443" protocol="HTTP/1.1"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="d:/key/tomcat.keystore" keystorePass="tomcat" />
下面是具体可以配置的选项,copy自:http://127.0.0.1/docs/config/http.html#SSL_Support(tomcat自带的文档)
The BIO, NIO and NIO2 connectors use the following attributes to configure SSL:Attribute | Description |
---|---|
algorithm | The certificate encoding algorithm to be used. This defaults to |
allowUnsafeLegacyRenegotiation | Is unsafe legacy TLS renegotiation allowed which is likely to expose users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS protocol that allows an attacker to inject arbitrary data into the user's request. If not specified, a default of |
ciphers | If specified and using ',' as a separator, only the ciphers that are listed and supported by the SSL implementation will be used. The ciphers are specified using the JSSE cipher naming convention. The special value of The list can also use ':' as a separator, in that case it will use the OpenSSL syntax (see OpenSSL documentation for the list of ciphers supported and the syntax). If not specified, a default (using the OpenSSL notation) of Note that Java does treat the order in which ciphers are defined as an order of preference. |
clientAuth | Set to |
clientCertProvider | When client certificate information is presented in a form other than instances of |
crlFile | The certificate revocation list to be used to verify client certificates. If not defined, client certificates will not be checked against a certificate revocation list. |
keyAlias | The alias used to for the server certificate in the keystore. If not specified the first key read in the keystore will be used. |
keyPass | The password used to access the server certificate from the specified keystore file. The default value is " |
keystoreFile | The pathname of the keystore file where you have stored the server certificate to be loaded. By default, the pathname is the file " |
keystorePass | The password used to access the specified keystore file. The default value is the value of the |
keystoreProvider | The name of the keystore provider to be used for the server certificate. If not specified, the list of registered providers is traversed in preference order and the first provider that supports the |
keystoreType | The type of keystore file to be used for the server certificate. If not specified, the default value is " |
sessionCacheSize | The number of SSL sessions to maintain in the session cache. Use 0 to specify an unlimited cache size. If not specified, a default of 0 is used. |
sessionTimeout | The time, in seconds, after the creation of an SSL session that it will timeout. Use 0 to specify an unlimited timeout. If not specified, a default of 86400 (24 hours) is used. |
sslEnabledProtocols | The comma separated list of SSL protocols to support for HTTPS connections. If specified, only the protocols that are listed and supported by the SSL implementation will be enabled. If not specified, the JVM default (excluding SSLv2 and SSLv3 if the JVM enables either or both of them by default) is used. The permitted values may be obtained from the JVM documentation for the allowed values for |
sslImplementationName | The class name of the SSL implementation to use. If not specified, the default of |
sslProtocol | The the SSL protocol(s) to use (a single value may enable multiple protocols - see the JVM documentation for details). If not specified, the default is |
trustManagerClassName | The name of a custom trust manager class to use to validate client certificates. The class must have a zero argument constructor and must also implement |
trustMaxCertLength | The maximum number of intermediate certificates that will be allowed when validating client certificates. If not specified, the default value of 5 will be used. |
truststoreAlgorithm | The algorithm to use for truststore. If not specified, the default value returned by |
truststoreFile | The trust store file to use to validate client certificates. The default is the value of the |
truststorePass | The password to access the trust store. The default is the value of the |
truststoreProvider | The name of the truststore provider to be used for the server certificate. The default is the value of the |
truststoreType | The type of key store used for the trust store. The default is the value of the |
3.确认输入https://127.0.0.1/可以正常访问(浏览器会有一个警告,点击继续访问就可以了)
另外,官方给的文档地址是:http://127.0.0.1/docs/ssl-howto.html
方案:
方法一:在相应的应用的web.xml中加入
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
具体做法可能有不同,下面是采用FORM权限验证时的配置
<security-constraint>
<display-name>zzz</display-name>
<web-resource-collection>
<web-resource-name>xxx</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/*</url-pattern>
<!-- If you list http methods, only those methods are protected so -->
<!-- the constraint below ensures all other methods are denied -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>gm</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>yyy</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>gm</role-name>
</security-role>
方法二:在jsp页面中加入重定向,定向到https页面
<%
if (!"https".equalsIgnoreCase(request.getScheme()))
{
String url=request.getRequestURL().toString();
url=url.replace("http://","https://");
response.sendRedirect(url);
}
%>
参考:
1.http://biancheng.dnbcw.info/java/337001.html
2.http://wenku.baidu.com/link?url=-yRtvPa5FsBnpgZj8btd4rBodqAHhknqIjLA2lloOunHvsXxyDkYADtaN1bHsVsfiuoQJCECfUEPUhr35mpPiz_9zptqLmp6USRl62HyuqG
3.