Setting up SSL

SSL serves two purposes :

  • Encryption – data is encrypted with SSL before being sent using HTTP
  • Authentication – the Certificate Authority guarantees the certificate holder is who they say they are

First Step is to create a Self Sign keytool certificate:

"%JAVA_HOME%"\bin\keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks
  • if -alias is not specified, then it defaults to “mykey”
  • If -keystore is not specified, then it defaults to “.keystore” in user’s home directory.

You can also import an existing certificate if you already have one:

"%JAVA_HOME%"\bin\keytool.exe -import -file your_cert.cer -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

Second step is to enable Connectors on Tomcat (server.xml)

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="${user.home}/.keystore" keystorePass="changeit"
           clientAuth="false" sslProtocol="TLS"/>

OR, if using embedded tomcat (maven plugin) then modify pom.xml:


Application should now be accessible through either of the following:

Enforcing HTTPS / SSL can be done through web.xml or spring-security:

<!-- web.xml -->

<!-- Spring Security -->
<security:intercept-url pattern="/secure/**" requires-channel="https"/>

Might need a port mapping for Spring Security if using non standard ports (see link) – otherwise it will try to redirect https requests to 8443.

<!-- HTTPS / SSL -->
    <security:port-mapping http="8080" https="8144"/>


Posted in Java, Maven, Spring Security

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: