Tomcat/Spring SSL configuration

0
votes

I'm trying to configure my Spring application to use an SSL certificate I purchased from a CA. I followed the directions for the Tomcat 6.0 configuration and have imported the key into my Tomcat keystore and uncommented the SSL connector in the server.xml. When I start Tomcat, I see the connector start on port 8443 in the Tomcat logs, but when I go to https://example.com:8443 or http: //example.com:8443 or https: //example.com (without the spaces - I don't have the reputation to post links), it times out. What other configuration do I need to do to enable SSL for my Spring application. Do I have to change the application configuration?

I'd also like to only have some URLs over SSL (login, edit profile, etc.). How can I allow this in the Spring configuration? If I have to have all URLs accessible over SSL, that would be ok, but not desirable. I haven't found any tutorials that are Spring specific.

3
springtomcatsslssl-certificate
try this: wiki.apache.org/tomcat/…user597987

3 Answers

0
votes

What you'll need to do is to edit your server.xml file to enable ssl. Here's Tomcat's guide, please check it out:

http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

In order to programmatically know if a request has arrived through port 80 or 443, you need to inspect the value returned by request.isSecure().

To secure URLs altogether, I'd recommend using a Filter.

I don't remember how all of this is handled by Spring, but I don't think you'll have any problems to obtain the request object.

Hope that helps.

0
votes

After you've configured Tomcat as per the document cited by @mschonaker, he simplest thing is to define the action in the j_security_check and edit profile forms, etc, specify the https: protocol, e.g. in a Facelet, https://#{request.serverName}:8443#{request.contextPath}/j_security_check. Then when the user hits the login button, the form POSTs via HTTPS, so they are secure.

This leaves you in HTTPS for the rest of the session: to get back to HTTP but still stay in the same session, just provide a link to a fully-specified HTTP url, e.g. in a Facelet, http://#{request.serverName}:8443#{request.contextPath}/some link.

If you have other pages you want secured when read, define appropriate security-constraint, user-data-constraint, and transport-guarantee CONFIDENTIAL elements for them in web.xml.

0
votes

about the second point

I'd also like to only have some URLs over SSL (login, edit profile, etc.). ???

you could determine it by modify configration in web.xml 

  <security-constraint>
    <web-resource-collection>
        <web-resource-name>securedapp</web-resource-name>
       <!-- <url-pattern>/*</url-pattern> -->  <!--all pages-->
        <url-pattern>/yourapp/login</url-pattern>
        <url-pattern>/yourapp/edit</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

hope that help you