外部tomcat中spring的SSL配置

Question

I am new for spring. I want to Configure ssl certificate for Spring application. Currently i am using external tomcat9 and configured its 8443 port(which is working fine):

server.xml of tomcat:

<Connector port="8443"
       protocol="org.apache.coyote.http11.Http11NioProtocol"
       maxThreads="150"
       SSLEnabled="true"
       scheme="https"
       secure="true" >
<SSLHostConfig>
    <Certificate certificateKeystoreFile="G:\apache-tomcat-9.0.39\conf\myexistingkey.jks"
                 certificateKeystorePassword="password"
                 certificateKeyAlias="tomcat"
                 type="RSA" />
</SSLHostConfig>

In application:

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">

    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <absolute-ordering />

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>securedapp</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
</web-app>

And setup basic authentication using spring security like: MyBasicAuthEntryPoint:

public class MyBasicAuthenticationEntryPoint extends BasicAuthenticationEntryPoint {

    @Override
    public void commence(final HttpServletRequest request,
                         final HttpServletResponse response,
                         final AuthenticationException authException) throws IOException {
        //Authentication failed, send error response.
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        response.addHeader("WWW-Authenticate", "Basic realm=" + getRealmName() + "");

        PrintWriter writer = response.getWriter();
        writer.println("HTTP Status 401 : " + authException.getMessage());
    }

    @Override
    public void afterPropertiesSet()  {
        setRealmName("MY_TEST_REALM");
        super.afterPropertiesSet();
    }
 }

And BasicAuthService:

@Configuration
@EnableWebSecurity
public class BasicAuthenticationService extends WebSecurityConfigurerAdapter {

    private static String REALM = "MY_TEST_REALM";

    @Autowired
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().withUser("admin").password(passwordEncoder().encode("admin")).roles("USER");
          System.out.println("configureGlobalSecurity");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        System.out.println("configure");
        MyBasicAuthenticationEntryPoint authenticationEntryPoint;

        authenticationEntryPoint = new MyBasicAuthenticationEntryPoint();
        http.csrf().disable()
                .authorizeRequests().anyRequest().authenticated().
                and().
                httpBasic()
                .authenticationEntryPoint(authenticationEntryPoint);

        http.addFilterAfter(new CustomFilter(),
                BasicAuthenticationFilter.class);
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        System.out.println("passwordEncoder");
        return new BCryptPasswordEncoder();
    }


    class CustomFilter implements Filter {
        @Override
        public void init(FilterConfig filterConfig) throws ServletException {

        }

        @Override
        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            filterChain.doFilter(servletRequest, servletResponse);
        }

        @Override
        public void destroy() {

        }
    }

But when I try to access one of api, I am getting 404. For Testing purpose added index.jsp with some sample contents. It's working fine after deploying.

So what changes need to be done in configuration to enable SSL in spring. I cant mention keystore path in spring configuration since I have already configured it in tomcat. Also I am using Jersey for api request.

Answer 1

I am using Spring Boot 2 with an external tomcat 9 running on Ubuntu 18.04

Get an SSL certificate, I created a self-signed cert using keytool with a password. https://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-using-java-keytool.html

Store the p12 file on your apache server. I stored it in /opt/tomcat

Edit your apache server.xml file to have something like this.

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" 
      maxThreads="150" scheme="https" secure="true"
      keystoreFile="/opt/tomcat/keystore.p12" keystorePass="password" 
      clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1"/>

Restart Tomcat

Done!

It is very quick once you know what the steps are! Just don't forget anything.