您的位置:首页 > 理论基础 > 计算机网络

强制使用https访问

2015-03-27 11:43 387 查看
环境:

tomcat8

jsp

准备:

1.产生密匙

参数中,-alias如果不用tomcat ,server.xml中需要另外加字段指明

秘钥库密码如何和秘钥密码不同和话,下面配置的时候需要分别加一下,网上的例子好多都是密匙库和秘钥密码相同

keytool -genkeypair -keyalg "RSA" -keystore "tomcat_keystore" -alias "tomcat"


2.在server.xml里配置密匙信息和https connector

只要把8443那个connector 解除注释就可以了,然后加上

keystoreFile="d:/key/tomcat.keystore" keystorePass="tomcat123"

那个protocal好像有几种选择,完整版

<Connector port="443" protocol="HTTP/1.1"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="d:/key/tomcat.keystore" keystorePass="tomcat" />


下面是具体可以配置的选项,copy自:http://127.0.0.1/docs/config/http.html#SSL_Support(tomcat自带的文档)

The BIO, NIO and NIO2 connectors use the following attributes to configure SSL:
AttributeDescription
algorithm
The certificate encoding algorithm to be used. This defaults to 
KeyManagerFactory.getDefaultAlgorithm()
which returns
SunX509
for Sun JVMs. IBM JVMs return 
IbmX509
. For other vendors, consult the JVM documentation for the default value.

allowUnsafeLegacyRenegotiation
Is unsafe legacy TLS renegotiation allowed which is likely to expose users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS protocol that allows an attacker to inject arbitrary data into the user's request. If not specified, a default of
false
is used. This attribute only has an effect if the JVM does not support RFC 5746 as indicated by the presence of the pseudo-ciphersuite TLS_EMPTY_RENEGOTIATION_INFO_SCSV. This is available JRE/JDK 6 update 22 onwards. Where RFC 5746 is supported
the renegotiation - including support for unsafe legacy renegotiation - is controlled by the JVM configuration.

ciphers
If specified and using ',' as a separator, only the ciphers that are listed and supported by the SSL implementation will be used. The ciphers are specified using the JSSE cipher naming convention. The special value of
ALL
will enable all supported ciphers. This will include many that are not secure.
ALL
is intended for testing purposes only.

The list can also use ':' as a separator, in that case it will use the OpenSSL syntax (see OpenSSL documentation for the list of ciphers supported and the syntax).

If not specified, a default (using the OpenSSL notation) of 
HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5
will be used.

Note that Java does treat the order in which ciphers are defined as an order of preference.

clientAuth
Set to 
true
if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to
want
if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. A
false
value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses
CLIENT-CERT
authentication.

clientCertProvider
When client certificate information is presented in a form other than instances of
java.security.cert.X509Certificate
it needs to be converted before it can be used and this property controls which JSSE provider is used to perform the conversion. For example it is used with the
AJP connectors, the HTTP APR connector and with the

org.apache.catalina.valves.SSLValve. If not specified, the default provider will be used.

crlFile
The certificate revocation list to be used to verify client certificates. If not defined, client certificates will not be checked against a certificate revocation list.

keyAlias
The alias used to for the server certificate in the keystore. If not specified the first key read in the keystore will be used.

keyPass
The password used to access the server certificate from the specified keystore file. The default value is "
changeit
".

keystoreFile
The pathname of the keystore file where you have stored the server certificate to be loaded. By default, the pathname is the file "
.keystore
" in the operating system home directory of the user that is running Tomcat. If your
keystoreType
doesn't need a file use 
""
(empty string) for this parameter.

keystorePass
The password used to access the specified keystore file. The default value is the value of the
keyPass
attribute.

keystoreProvider
The name of the keystore provider to be used for the server certificate. If not specified, the list of registered providers is traversed in preference order and the first provider that supports the
keystoreType
is used.

keystoreType
The type of keystore file to be used for the server certificate. If not specified, the default value is "
JKS
".

sessionCacheSize
The number of SSL sessions to maintain in the session cache. Use 0 to specify an unlimited cache size. If not specified, a default of 0 is used.

sessionTimeout
The time, in seconds, after the creation of an SSL session that it will timeout. Use 0 to specify an unlimited timeout. If not specified, a default of 86400 (24 hours) is used.

sslEnabledProtocols
The comma separated list of SSL protocols to support for HTTPS connections. If specified, only the protocols that are listed and supported by the SSL implementation will be enabled. If not specified, the JVM default (excluding SSLv2 and SSLv3 if the JVM
enables either or both of them by default) is used. The permitted values may be obtained from the JVM documentation for the allowed values for
SSLSocket.setEnabledProtocols()
e.g.
Oracle Java 7. Note: There is overlap between this attribute and 
sslProtocol
.

sslImplementationName
The class name of the SSL implementation to use. If not specified, the default of
org.apache.tomcat.util.net.jsse.JSSEImplementation
will be used which wraps JVM's default JSSE provider. Note that the JVM can be configured to use a different JSSE provider as the default.

sslProtocol
The the SSL protocol(s) to use (a single value may enable multiple protocols - see the JVM documentation for details). If not specified, the default is
TLS
. The permitted values may be obtained from the JVM documentation for the allowed values for algorithm when creating an
SSLContext
instance e.g.
Oracle Java 7. Note: There is overlap between this attribute and 
sslEnabledProtocols
.

trustManagerClassName
The name of a custom trust manager class to use to validate client certificates. The class must have a zero argument constructor and must also implement
javax.net.ssl.X509TrustManager
. If this attribute is set, the trust store attributes may be ignored.

trustMaxCertLength
The maximum number of intermediate certificates that will be allowed when validating client certificates. If not specified, the default value of 5 will be used.

truststoreAlgorithm
The algorithm to use for truststore. If not specified, the default value returned by
javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm()
is used.

truststoreFile
The trust store file to use to validate client certificates. The default is the value of the
javax.net.ssl.trustStore
system property. If neither this attribute nor the default system property is set, no trust store will be configured.

truststorePass
The password to access the trust store. The default is the value of the 
javax.net.ssl.trustStorePassword
system property. If that property is null, no trust store password will be configured. If an invalid trust store password is specified, a warning will be logged and an attempt will be made to access the trust store without
a password which will skip validation of the trust store contents.

truststoreProvider
The name of the truststore provider to be used for the server certificate. The default is the value of the
javax.net.ssl.trustStoreProvider
system property. If that property is null, the value of
keystoreProvider
is used as the default. If neither this attribute, the default system property nor
keystoreProvider
is set, the list of registered providers is traversed in preference order and the first provider that supports the
truststoreType
is used.

truststoreType
The type of key store used for the trust store. The default is the value of the
javax.net.ssl.trustStoreType
system property. If that property is null, the value of
keystoreType
is used as the default.

3.确认输入https://127.0.0.1/可以正常访问(浏览器会有一个警告,点击继续访问就可以了)

另外,官方给的文档地址是:http://127.0.0.1/docs/ssl-howto.html

方案:

方法一:在相应的应用的web.xml中加入

<transport-guarantee>CONFIDENTIAL</transport-guarantee>

具体做法可能有不同,下面是采用FORM权限验证时的配置

	<security-constraint>
<display-name>zzz</display-name>
<web-resource-collection>
<web-resource-name>xxx</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/*</url-pattern>
<!-- If you list http methods, only those methods are protected so -->
<!-- the constraint below ensures all other methods are denied     -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>gm</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint>
</security-constraint>

<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>yyy</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
    <security-role>
      <role-name>gm</role-name>
    </security-role>
 
方法二:在jsp页面中加入重定向,定向到https页面

<%
if (!"https".equalsIgnoreCase(request.getScheme()))
{
String url=request.getRequestURL().toString();
url=url.replace("http://","https://");
response.sendRedirect(url);
}
%>


参考:

1.http://biancheng.dnbcw.info/java/337001.html

2.http://wenku.baidu.com/link?url=-yRtvPa5FsBnpgZj8btd4rBodqAHhknqIjLA2lloOunHvsXxyDkYADtaN1bHsVsfiuoQJCECfUEPUhr35mpPiz_9zptqLmp6USRl62HyuqG

3.
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航