I. Application Certificate
The application process is brief.
fileauth.txt,.jks secret key file and secret key password
Two, configuration
- Engineering code
(1) Upload certificate files, file location:
WebRoot/.well-known/pki-validation/fileauth.txt
(2) Add the following code to web.xml:
<security-constraint> <web-resource-collection> <web-resource-name>SSL</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
Note:
Set TRANSPORT-GUARANTEE=CONFIDENTIAL to protect sensitive resources
In order to protect sensitive data in Web applications, prevent illegal access to resources and ensure the security of transmission, Java Servlet
2.2 Specification defines Security-Constraint components, which are used to specify security constraints for one or more Web resource sets; User-Data-Constraint components are subclasses of security constraints components that specify how data transferred between clients and containers is protected.
User data constraint component also includes Transport-Guarantee component, which stipulates that the communication between client and server must be one of the following three modes: NONE, INTEGRAL and CONFIDENTIAL. NONE denotes that the specified Web resource does not require any transmission guarantee; Integral denotes that the data transmitted between the client and the server will not be tampered with during transmission; and Confidential denotes that the data is encrypted during transmission. In most cases, INTEGRAL or CONFIDENTIAL is implemented using SSL.
This paper is to verify through experiments that when transport-guarantee=CONFIDENTIAL is set up, the original protected resources will automatically be transferred from HTTP protocol to HTTPS protocol.
-
tomcat
(1) Place the applied. jks key file in the conf directory of tomcat.(2) Modify the file: conf/server.xml (see modify annotation for the location of the change)
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" /><!--modify:Change to jump to port 443 -->
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<!--modify:This default is commented out, let go.
Port: Port, https The default port number is 443. http The default port number is 80
SSLEnabled: open ssl
keystoreFile: Secret key file path;
keystorePass: Password entered when creating a secret key file-->
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/AAAA.jks"
keystorePass="123456"/>
<!-- Define an AJP 1.3 Connector on port 8009 -->
<!--modify:Change to jump to port 443 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
(3) Restart tomcat
Three, effect
Using http access, jump to the https path by default.
Reference:
https://www.cnblogs.com/xuegqcto/p/9116712.html
https://www.trustasia.com/news-201801-tomcat-deployment
https://www.cnblogs.com/blog5277/p/7524067.html
https://blog.csdn.net/baidu_18607183/article/details/51611720