【发布时间】:2021-02-22 07:35:57
【问题描述】:
我是春天的新手。我想为 Spring 应用程序配置 ssl 证书。目前我正在使用外部 tomcat9 并配置了它的 8443 端口(工作正常):
tomcat的server.xml:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true" >
<SSLHostConfig>
<Certificate certificateKeystoreFile="G:\apache-tomcat-9.0.39\conf\myexistingkey.jks"
certificateKeystorePassword="password"
certificateKeyAlias="tomcat"
type="RSA" />
</SSLHostConfig>
在应用中:
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<absolute-ordering />
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
并使用 Spring Security 设置基本身份验证,例如: MyBasicAuthEntryPoint:
public class MyBasicAuthenticationEntryPoint extends BasicAuthenticationEntryPoint {
@Override
public void commence(final HttpServletRequest request,
final HttpServletResponse response,
final AuthenticationException authException) throws IOException {
//Authentication failed, send error response.
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
response.addHeader("WWW-Authenticate", "Basic realm=" + getRealmName() + "");
PrintWriter writer = response.getWriter();
writer.println("HTTP Status 401 : " + authException.getMessage());
}
@Override
public void afterPropertiesSet() {
setRealmName("MY_TEST_REALM");
super.afterPropertiesSet();
}
}
和 BasicAuthService:
@Configuration
@EnableWebSecurity
public class BasicAuthenticationService extends WebSecurityConfigurerAdapter {
private static String REALM = "MY_TEST_REALM";
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().withUser("admin").password(passwordEncoder().encode("admin")).roles("USER");
System.out.println("configureGlobalSecurity");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
System.out.println("configure");
MyBasicAuthenticationEntryPoint authenticationEntryPoint;
authenticationEntryPoint = new MyBasicAuthenticationEntryPoint();
http.csrf().disable()
.authorizeRequests().anyRequest().authenticated().
and().
httpBasic()
.authenticationEntryPoint(authenticationEntryPoint);
http.addFilterAfter(new CustomFilter(),
BasicAuthenticationFilter.class);
}
@Bean
public PasswordEncoder passwordEncoder() {
System.out.println("passwordEncoder");
return new BCryptPasswordEncoder();
}
class CustomFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
filterChain.doFilter(servletRequest, servletResponse);
}
@Override
public void destroy() {
}
}
但是当我尝试访问其中一个 api 时,我得到 404。出于测试目的,添加了 index.jsp 和一些示例内容。部署后运行良好。
那么在spring 中启用SSL 需要在配置中进行哪些更改。我不能在 spring 配置中提及 keystore 路径,因为我已经在 tomcat 中配置了它。我也在使用 Jersey 进行 api 请求。
【问题讨论】:
标签: java spring spring-boot ssl tomcat9