Tomcat / Spring SSL配置

Question

I'm trying to configure my Spring application to use an SSL certificate I purchased from a CA. I followed the directions for the Tomcat 6.0 configuration and have imported the key into my Tomcat keystore and uncommented the SSL connector in the server.xml. When I start Tomcat, I see the connector start on port 8443 in the Tomcat logs, but when I go to https://example.com:8443 or http: //example.com:8443 or https: //example.com (without the spaces - I don't have the reputation to post links), it times out. What other configuration do I need to do to enable SSL for my Spring application. Do I have to change the application configuration?

I'd also like to only have some URLs over SSL (login, edit profile, etc.). How can I allow this in the Spring configuration? If I have to have all URLs accessible over SSL, that would be ok, but not desirable. I haven't found any tutorials that are Spring specific.

Answer 1

about the second point

I'd also like to only have some URLs over SSL (login, edit profile, etc.). ???

you could determine it by modify configration in web.xml

  <security-constraint> <web-resource-collection> <web-resource-name>securedapp</web-resource-name> <!-- <url-pattern>/*</url-pattern> --> <!--all pages--> <url-pattern>/yourapp/login</url-pattern> <url-pattern>/yourapp/edit</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> 

hope that help you

Answer 2

What you'll need to do is to edit your server.xml file to enable ssl. Here's Tomcat's guide, please check it out:

http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

In order to programmatically know if a request has arrived through port 80 or 443, you need to inspect the value returned by request.isSecure() .

To secure URLs altogether, I'd recommend using a Filter.

I don't remember how all of this is handled by Spring, but I don't think you'll have any problems to obtain the request object.

Hope that helps.

Answer 3

After you've configured Tomcat as per the document cited by @mschonaker, he simplest thing is to define the action in the j_security_check and edit profile forms, etc, specify the https: protocol, eg in a Facelet, https://# {request.serverName}:8443#{request.contextPath}/j_security_check. Then when the user hits the login button, the form POSTs via HTTPS, so they are secure.

This leaves you in HTTPS for the rest of the session: to get back to HTTP but still stay in the same session, just provide a link to a fully-specified HTTP url, eg in a Facelet, http://# {request.serverName}:8443#{request.contextPath}/ some link .

If you have other pages you want secured when read, define appropriate security-constraint, user-data-constraint, and transport-guarantee CONFIDENTIAL elements for them in web.xml.