web应用http转https

2019独角兽企业重金招聘Python工程师标准>>>

网上看到说有两种http转https的方法：

1、tomcat打开8443或443端口之后，修改web.xml配置https作用路径即可实现

2、tomcat打开8443或443端口之后，创建filter类将http转为https

以下介绍的是相对简单的http转https的配置方法，第一种：

一、获取证书（自签名证书或者数字认证中心颁发的证书，这里介绍自签名证书的制作）

1、通过jdk工具生成keystore文件

keytool -genkeypair -alias "MyWebShell" -keyalg "RSA" -keystore "mywebshell.keystore"

2、导出到证书文件-crt文件

keytool -export -alias MyWebShell -file mywebshell.crt -keystore mywebshell.keystore

3、导入证书信息

keytool -import -keystore mywebshell_cacerts -file mywebshell.crt

注：生成证书时的密码一定要记下，下一步会用到。

参考链接：创建自签名证书

二、tomcat开启https相关端口-443或者8443端口

tomcat的conf文件夹下的server.xml文件中添加以下配置即可开通443或者8443端口：

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" keystoreFile="mywebshell.keystore所在目录路径" keystorePass="生成证书时设置的密码" sslProtocol="TLS" />

完整的配置如下（给两个应用配置https服务，应配置两个不同的https访问端口-443和8443端口，否则其中一个应用将无法进行正常访问）：

<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <GlobalNamingResources>
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>
  <Service name="Catalina">
    <Connector port="8088" protocol="HTTP/1.1"
               connectionTimeout="8000"
               redirectPort="8443" />
	<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" keystoreFile="keystore文件所在目录路径" keystorePass="生成证书时设置的密码" sslProtocol="TLS" />


    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

    <Engine name="Catalina" defaultHost="localhost">

      <Realm className="org.apache.catalina.realm.LockOutRealm">

        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />

      </Host>
    </Engine>
  </Service>
  <Service name="Catalina1">
    <Connector port="8099" protocol="HTTP/1.1"
               connectionTimeout="8000"
               redirectPort="8443" />
			   
	<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" keystoreFile="keystore文件所在目录路径" keystorePass="生成证书时设置的密码" sslProtocol="TLS" />
	
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

	
    <Engine name="Catalina1" defaultHost="localhost">
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps1"
            unpackWARs="true" autoDeploy="true">
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />

      </Host>
    </Engine>
  </Service>
</Server>

以上，便能正常访问tomcat的8088、8099、8443端口了。

三、web应用的web.xml中添加以下代码配置需要https访问的页面

<security-constraint>
        <web-resource-collection>
            <web-resource-name>SSL</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
</security-constraint>

注：/* 表示应用的所有页面都强制https访问

 

最终配置完成之后的结果如下：

转载于:https://my.oschina.net/u/3636678/blog/3020525