Setting up SSL

SSL serves two purposes :

  • Encryption – data is encrypted with SSL before being sent using HTTP
  • Authentication – the Certificate Authority guarantees the certificate holder is who they say they are

First Step is to create a Self Sign keytool certificate:

"%JAVA_HOME%"\bin\keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks
  • if -alias is not specified, then it defaults to “mykey”
  • If -keystore is not specified, then it defaults to “.keystore” in user’s home directory.

You can also import an existing certificate if you already have one:

"%JAVA_HOME%"\bin\keytool.exe -import -file your_cert.cer -keystore "%JAVA_HOME%\jre\lib\security\cacerts"

Second step is to enable Connectors on Tomcat (server.xml)

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
           protocol="HTTP/1.1"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="${user.home}/.keystore" keystorePass="changeit"
           clientAuth="false" sslProtocol="TLS"/>

OR, if using embedded tomcat (maven plugin) then modify pom.xml:

<plugin>
    <groupId>org.apache.tomcat.maven</groupId>
    <artifactId>tomcat7-maven-plugin</artifactId>
    <version>2.0</version>
    <configuration>
        <path>/${project.name}</path>
        <httpsPort>8443</httpsPort>
        <keystorePass>changeit</keystorePass>
        <keystoreFile>${basedir}/src/main/resources/cert/keystore.jks</keystoreFile>
    </configuration>
</plugin>

Application should now be accessible through either of the following:

Enforcing HTTPS / SSL can be done through web.xml or spring-security:

<!-- web.xml -->
<security-constraint>
    <web-resource-collection>
        <web-resource-name>securedapp</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<!-- Spring Security -->
<security:intercept-url pattern="/secure/**" requires-channel="https"/>

Might need a port mapping for Spring Security if using non standard ports (see link) – otherwise it will try to redirect https requests to 8443.

<!-- HTTPS / SSL -->
<security:port-mappings>
    <security:port-mapping http="8080" https="8144"/>
</security:port-mappings>

Documentation:

Advertisements
Posted in Java, Maven, Spring Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: