强制使用https访问
2015-03-27 11:43
387 查看
环境:
tomcat8
jsp
准备:
1.产生密匙
参数中,-alias如果不用tomcat ,server.xml中需要另外加字段指明
秘钥库密码如何和秘钥密码不同和话,下面配置的时候需要分别加一下,网上的例子好多都是密匙库和秘钥密码相同
2.在server.xml里配置密匙信息和https connector
只要把8443那个connector 解除注释就可以了,然后加上
keystoreFile="d:/key/tomcat.keystore" keystorePass="tomcat123"
那个protocal好像有几种选择,完整版
下面是具体可以配置的选项,copy自:http://127.0.0.1/docs/config/http.html#SSL_Support(tomcat自带的文档)
The BIO, NIO and NIO2 connectors use the following attributes to configure SSL:
3.确认输入https://127.0.0.1/可以正常访问(浏览器会有一个警告,点击继续访问就可以了)
另外,官方给的文档地址是:http://127.0.0.1/docs/ssl-howto.html
方案:
方法一:在相应的应用的web.xml中加入
具体做法可能有不同,下面是采用FORM权限验证时的配置
参考:
1.http://biancheng.dnbcw.info/java/337001.html
2.http://wenku.baidu.com/link?url=-yRtvPa5FsBnpgZj8btd4rBodqAHhknqIjLA2lloOunHvsXxyDkYADtaN1bHsVsfiuoQJCECfUEPUhr35mpPiz_9zptqLmp6USRl62HyuqG
3.
tomcat8
jsp
准备:
1.产生密匙
参数中,-alias如果不用tomcat ,server.xml中需要另外加字段指明
秘钥库密码如何和秘钥密码不同和话,下面配置的时候需要分别加一下,网上的例子好多都是密匙库和秘钥密码相同
keytool -genkeypair -keyalg "RSA" -keystore "tomcat_keystore" -alias "tomcat"
2.在server.xml里配置密匙信息和https connector
只要把8443那个connector 解除注释就可以了,然后加上
keystoreFile="d:/key/tomcat.keystore" keystorePass="tomcat123"
那个protocal好像有几种选择,完整版
<Connector port="443" protocol="HTTP/1.1" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="d:/key/tomcat.keystore" keystorePass="tomcat" />
下面是具体可以配置的选项,copy自:http://127.0.0.1/docs/config/http.html#SSL_Support(tomcat自带的文档)
The BIO, NIO and NIO2 connectors use the following attributes to configure SSL:
Attribute | Description |
---|---|
algorithm | The certificate encoding algorithm to be used. This defaults to KeyManagerFactory.getDefaultAlgorithm()which returns SunX509for Sun JVMs. IBM JVMs return IbmX509. For other vendors, consult the JVM documentation for the default value. |
allowUnsafeLegacyRenegotiation | Is unsafe legacy TLS renegotiation allowed which is likely to expose users to CVE-2009-3555, a man-in-the-middle vulnerability in the TLS protocol that allows an attacker to inject arbitrary data into the user's request. If not specified, a default offalseis used. This attribute only has an effect if the JVM does not support RFC 5746 as indicated by the presence of the pseudo-ciphersuite TLS_EMPTY_RENEGOTIATION_INFO_SCSV. This is available JRE/JDK 6 update 22 onwards. Where RFC 5746 is supported the renegotiation - including support for unsafe legacy renegotiation - is controlled by the JVM configuration. |
ciphers | If specified and using ',' as a separator, only the ciphers that are listed and supported by the SSL implementation will be used. The ciphers are specified using the JSSE cipher naming convention. The special value ofALLwill enable all supported ciphers. This will include many that are not secure. ALLis intended for testing purposes only. The list can also use ':' as a separator, in that case it will use the OpenSSL syntax (see OpenSSL documentation for the list of ciphers supported and the syntax). If not specified, a default (using the OpenSSL notation) of HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5will be used. Note that Java does treat the order in which ciphers are defined as an order of preference. |
clientAuth | Set to trueif you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to wantif you want the SSL stack to request a client Certificate, but not fail if one isn't presented. A falsevalue (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERTauthentication. |
clientCertProvider | When client certificate information is presented in a form other than instances ofjava.security.cert.X509Certificateit needs to be converted before it can be used and this property controls which JSSE provider is used to perform the conversion. For example it is used with the AJP connectors, the HTTP APR connector and with the org.apache.catalina.valves.SSLValve. If not specified, the default provider will be used. |
crlFile | The certificate revocation list to be used to verify client certificates. If not defined, client certificates will not be checked against a certificate revocation list. |
keyAlias | The alias used to for the server certificate in the keystore. If not specified the first key read in the keystore will be used. |
keyPass | The password used to access the server certificate from the specified keystore file. The default value is "changeit". |
keystoreFile | The pathname of the keystore file where you have stored the server certificate to be loaded. By default, the pathname is the file ".keystore" in the operating system home directory of the user that is running Tomcat. If your keystoreTypedoesn't need a file use ""(empty string) for this parameter. |
keystorePass | The password used to access the specified keystore file. The default value is the value of thekeyPassattribute. |
keystoreProvider | The name of the keystore provider to be used for the server certificate. If not specified, the list of registered providers is traversed in preference order and the first provider that supports thekeystoreTypeis used. |
keystoreType | The type of keystore file to be used for the server certificate. If not specified, the default value is "JKS". |
sessionCacheSize | The number of SSL sessions to maintain in the session cache. Use 0 to specify an unlimited cache size. If not specified, a default of 0 is used. |
sessionTimeout | The time, in seconds, after the creation of an SSL session that it will timeout. Use 0 to specify an unlimited timeout. If not specified, a default of 86400 (24 hours) is used. |
sslEnabledProtocols | The comma separated list of SSL protocols to support for HTTPS connections. If specified, only the protocols that are listed and supported by the SSL implementation will be enabled. If not specified, the JVM default (excluding SSLv2 and SSLv3 if the JVM enables either or both of them by default) is used. The permitted values may be obtained from the JVM documentation for the allowed values for SSLSocket.setEnabledProtocols()e.g. Oracle Java 7. Note: There is overlap between this attribute and sslProtocol. |
sslImplementationName | The class name of the SSL implementation to use. If not specified, the default oforg.apache.tomcat.util.net.jsse.JSSEImplementationwill be used which wraps JVM's default JSSE provider. Note that the JVM can be configured to use a different JSSE provider as the default. |
sslProtocol | The the SSL protocol(s) to use (a single value may enable multiple protocols - see the JVM documentation for details). If not specified, the default isTLS. The permitted values may be obtained from the JVM documentation for the allowed values for algorithm when creating an SSLContextinstance e.g. Oracle Java 7. Note: There is overlap between this attribute and sslEnabledProtocols. |
trustManagerClassName | The name of a custom trust manager class to use to validate client certificates. The class must have a zero argument constructor and must also implementjavax.net.ssl.X509TrustManager. If this attribute is set, the trust store attributes may be ignored. |
trustMaxCertLength | The maximum number of intermediate certificates that will be allowed when validating client certificates. If not specified, the default value of 5 will be used. |
truststoreAlgorithm | The algorithm to use for truststore. If not specified, the default value returned byjavax.net.ssl.TrustManagerFactory.getDefaultAlgorithm()is used. |
truststoreFile | The trust store file to use to validate client certificates. The default is the value of thejavax.net.ssl.trustStoresystem property. If neither this attribute nor the default system property is set, no trust store will be configured. |
truststorePass | The password to access the trust store. The default is the value of the javax.net.ssl.trustStorePasswordsystem property. If that property is null, no trust store password will be configured. If an invalid trust store password is specified, a warning will be logged and an attempt will be made to access the trust store without a password which will skip validation of the trust store contents. |
truststoreProvider | The name of the truststore provider to be used for the server certificate. The default is the value of thejavax.net.ssl.trustStoreProvidersystem property. If that property is null, the value of keystoreProvideris used as the default. If neither this attribute, the default system property nor keystoreProvideris set, the list of registered providers is traversed in preference order and the first provider that supports the truststoreTypeis used. |
truststoreType | The type of key store used for the trust store. The default is the value of thejavax.net.ssl.trustStoreTypesystem property. If that property is null, the value of keystoreTypeis used as the default. |
另外,官方给的文档地址是:http://127.0.0.1/docs/ssl-howto.html
方案:
方法一:在相应的应用的web.xml中加入
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
具体做法可能有不同,下面是采用FORM权限验证时的配置
<security-constraint>方法二:在jsp页面中加入重定向,定向到https页面
<display-name>zzz</display-name>
<web-resource-collection>
<web-resource-name>xxx</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/*</url-pattern>
<!-- If you list http methods, only those methods are protected so -->
<!-- the constraint below ensures all other methods are denied -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>gm</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>yyy</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>gm</role-name>
</security-role>
<% if (!"https".equalsIgnoreCase(request.getScheme())) { String url=request.getRequestURL().toString(); url=url.replace("http://","https://"); response.sendRedirect(url); } %>
参考:
1.http://biancheng.dnbcw.info/java/337001.html
2.http://wenku.baidu.com/link?url=-yRtvPa5FsBnpgZj8btd4rBodqAHhknqIjLA2lloOunHvsXxyDkYADtaN1bHsVsfiuoQJCECfUEPUhr35mpPiz_9zptqLmp6USRl62HyuqG
3.
相关文章推荐
- nginx强制使用https访问(http跳转到https)
- Nginx搭建HTTPS服务器和强制使用HTTPS访问的方法
- nginx强制使用https访问(http跳转到https)
- nginx强制使用https访问(http跳转到https
- nginx强制使用https访问(http跳转到https)
- nginx强制使用https访问的方法(http跳转到https)
- nginx强制使用https访问 http跳转到https
- centos7安装tengine强制使用HTTPS访问
- nginx强制使用https访问(http跳转到https)
- nginx强制使用https访问(http跳转到https)
- 【环境配置】申请StartSSL免费CA证书,配置Nginx使用https访问,强制http跳转到https
- nginx强制使用https访问(http跳转到https)
- nginx强制使用https访问(http跳转到https)
- Nginx搭建HTTPS服务器和强制使用HTTPS访问的方法
- Tomcat 强制使用https访问,http自动跳转
- nginx强制使用https访问(http跳转到https)
- Nginx强制使用https访问(http跳转到https)
- nginx强制使用https访问(http跳转到https) mark
- Apache使用 .htaccess 来实现强制https访问的方法
- Apache使用 .htaccess 来实现强制https访问