http://blog.csdn.net/sean_cd/article/details/6966130
http://www.codeceo.com/article/ https-worker.html
http://hittyt.iteye.com/blog/1618497
Symmetric and asymmetric encryption: http://www.cnblogs.com/jfzhu/p/4020928.html
Tests of several encryption algorithms, including Symmetric encryption and asymmetric encryption: http://www.cnblogs.com/cnblogs-lin/archive/2012/10/18/2728996.html
Detailed explanation of SSL protocol: http://kb.cnblogs.com/page/162080/
The difference and introduction of SSL and TLS: http://kb.cnblogs.com/page/197396/
<security-constraint> and four authentication types in web.xml: http://blog.csdn.net/lisheng19870305/article /details/40819481
Tomcat provides security mechanism-security-constraint: http://czh.iteye.com/blog/740138
Security mechanism provided by Tomcat: http://blog.csdn.net/doupei2006/article/details/11602247
HTTP Verification Basic Authentication and Digest Authentication in Tomcat:
[url] http://blog.csdn.net/renminzdb /article/details/42422141[/url]
Perfectly configure Tomcat's HTTPS: http://blog.csdn.net/huaishuming/article/details/8965597
Configure Tomcat to use https protocol (configure SSL protocol): http://blog. csdn.net/jimmy609/article/details/18557955
Configure Tomcat to use https protocol: http://www.cnblogs.com/wanghaoyuhappy/p/5267702.html
Realm configuration: http://wiki.jikexueyuan.com/project/tomcat /realms-aaa.htmlModify
the hosts
file Go to the C:\Windows\System32\drivers\etc\ folder
Modify the hosts file and add the following
127.0.0.1 www.donald.com
Save.
This configured domain name will be used when we generate the keystore later to see if it can be pinged.
C:\Users\donald>ping www.donald.com
Pinging www.donald.com [127.0.0.1] with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Reply from 127.0.0.1: bytes=32 time<1ms TTL=64
Ping stats for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% lost),
Estimated time of round trip in milliseconds:
Shortest = 0ms, Longest = 0ms, Average = 0ms
C:\Users\donald>java -version java version "1.7.0_17" Java(TM) SE Runtime Environment (build 1.7.0_17-b02) Java HotSpot(TM) 64-Bit Server VM (build 23.7-b01, mixed mode)
My java version is: 1.7.0_17
Enter the dos environment, generate keystore, and crt files, as follows:
use the java keytool tool to generate keystore files
C:\Users\donald>keytool Key and certificate management tools Order: -certreq generate certificate request -changealias Change the alias of the entry -delete delete entry -exportcert export certificate -genkeypair Generate key pair -genseckey generate key -gencert Generate certificate from certificate request -importcert import certificate or certificate chain -importkeystore imports one or all entries from other keystores -keypasswd Change the entry's key passphrase -list list the entries in the keystore -printcert print certificate content -printcertreq print the contents of the certificate request -printcrl print the contents of the CRL file -storepasswd Change the store password for the keystore
Use "keytool -command_name -help" to get the usage of command_name
Generate keystore file command:
keytool -genkey -alias keyssl -keyalg RSA -keystore F:/keys
C:\Users\donald>keytool -genkey -alias keyssl -keyalg RSA -keystore F:/keys
Enter the keystore password:
Enter the new password again:
They don't match. Please try again
Enter the keystore password:
Enter the new password again:
What is your first and last name?
[Unknown]: www.donald.com
What is your organizational unit name?
[Unknown]: donald
What is the name of your organization?
[Unknown]: donald
What is the name of your city or area?
[Unknown]: guangzhou
What is the name of your province/city/autonomous region?
[Unknown]: guangdong
What is the two-letter country code for this unit?
[Unknown]: CN
Is CN=www.donald.com, OU=donald, O=donald, L=guangzhou, ST=guangdong, C=CN correct?
[No]: Y
Enter the key password for <keyssl>
(if the same as the keystore password, press enter):
Enter the new password again:
my password is h123456
Export crt file command:
keytool -export -file F:/donald.crt -alias keyssl -keystore F:/keys
Note that the keyssl after -alias is the alias of F:/keys, which is consistent with the above
C:\Users\donald>keytool -export -file F:/donald.crt -alias keyssl -keystore F:/keys
Enter the keystore password:
the certificate stored in the file <F:/donald.crt>
Configure the server.xml file in the conf directory of tomcat, configuration file:
Since my port 80 is already occupied, here we use 8080, I The tomcat version is 7.0.54
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" URIEncoding="UTF-8"/>
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" maxHttpHeaderSize="8192"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="SSL"
ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
keystoreFile="F:/keys" keystorePass="h123456"/>
When we access the web, we use port 80Connector, and then redirect to port 443. From the configuration above,
we can see that SSL is enabled, the scheme is https, the client's verification status is false, the ssl protocol is SSL, and the
ciphers algorithm is SSL_RSA_WITH_RC4_128_SHA,..., keystore file is F:/keys, password is h123456
SSLEnabled="true"
scheme="https"
clientAuth="false"
sslProtocol="SSL"
ciphers="SSL_RSA_WITH_RC4_128_SHA,..."
keystoreFile="F :/keys"
keystorePass="h123456"
This configuration method, the client does not need authentication, and the keystorePass is in plain text;
another configuration method:
reference: http://blog.sina.com.cn/s/blog_64a52f2a0101g35m.html
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true"
sslProtocol="TLS"
SSLCertificateFile="${catalina.base}/conf/server.cer"
SSLCertificateKeyFile="${catalina.base}/conf/server.key" />
SSLCertificateFile refers to the certificate file
SSLCertificateKeyFile refers to the private key file,
how did you come to these two asking prices?
First download the openssl tool: http://gnuwin32.sourceforge.net/packages/openssl.htm After
decompression, in addition to openssl.exe, there is a bat file, which can help us quickly create a certificate application file.
Run autocsr.bat, enter the information as prompted, and then press any key to confirm. You will get two files,
a server.key, which is the private key file, and a certificate request file called certreq.csr.
If you want to apply for a formal security certificate from a certificate authority, just send them the certreq.csr file.
They will send you two cer files, one for the server certificate and one for the root certificate; if you just want to use https,
the certificate can be signed by itself.
The steps are as follows:
On the command line, go to the directory you just decompressed, find the directory where openssl.exe is located, and execute the following command
openssl x509 -req -in certreq.csr -out server.cer -signkey server.key -days 3650
Now you will Get a certificate file named server.cer, these two files are what we used above.
If you really apply for a formal security certificate from a certificate authority, the configuration is a bit different, as follows
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true"
sslProtocol="TLS"
SSLCertificateFile="conf/server.cer"
SSLCertificateKeyFile="conf/server.key"
SSLCertificateChainFile="conf/intermediate.cer" />
Because the certificate authority will give two integers, one is the signed server certificate, and one is the intermediate CA certificate, so there is an extra line of configuration.
Maybe the certificate authority will only give you the server certificate, which is server.cer. The intermediate CA certificate, namely intermediate.cer, needs to be downloaded from the website provided by the
certificate authority. The specific operation will be in the mailbox sent by the certificate authority. There are related tips.
The web.xml configuration is as follows:
<!-- Configure Application Security-->
<login-config>
<!-- Authorization setting for SSL -->
<!-- <auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
<auth-method>BASIC</auth-method>
-->
<auth-method>BASIC</auth-method>
</login-config>
<!-- Login, register SSL -->
<security-constraint>
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<!-- /* means use HTTPS for all web resources -->
<!-- <url-pattern>/*</url-pattern> -->
<!-- Use HTTPS only for the following connections -->
<url-pattern>/login.do</url-pattern>
<url-pattern>/register.do</url-pattern>
<url-pattern>/saveRegist.do</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Forbid unsafe http methods-->
<security-constraint>
<web-resource-collection>
<web-resource-name>unfortune</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>PATCH</http-method>
</web-resource-collection>
<auth-constraint></auth-constraint>
</security-constraint>
login-config configuration items:
auth-method: There are four client authentication methods BASIC, DIGEST, FORM, CLIENT-CERT authentication; BASIC is the base64 method,
DIGEST is the md5 information digest method, and FORM is the authentication of the basic custom form. You can specify the verification form when logging in, CLIENT-CERT mode, and the
client needs to install a digital certificate;
ream-name: http://wiki.jikexueyuan.com/project/tomcat/realms-aaa.html
security-constraint configuration item:
web-resource-collection: web-resource-name: url-pattern: http-method:
This element identifies the resources that should be protected. All security-constraint elements must contain at least one web-resource-collection item.
This element consists of a web-resource-name element giving an arbitrary identifying name, a url- The pattern element consists of
an http-method element indicating the HTTP commands to which this protection applies (GET, POST, etc., all methods by default) and
an optional description element providing information. It is important to note that the url-pattern Only suitable for clients accessing these resources directly, in
particular, it is not suitable for pages accessed through the MVC architecture using RequestDispatcher,
or pages accessed using means like jsp:forward;
auth-constraint:
sub The element auth-constraint needs to be used in conjunction with login-config, and can also be used alone;
if there is no auth-constraint sub-element, this indicates that any user can access the corresponding resources,
that is, if security-constraint> If there is no auth-constraint sub-element, the configuration actually does not work.
If the auth-constraint sub-element is added, but its content is empty, it means that all users with identities are prohibited from accessing the corresponding resources;
user-data -constraint:
This optional element indicates to use any transport layer protections when accessing the associated resource, it must contain a transport-guarantee sub-element
(legal values are NONE, INTEGRAL or CONFIDENTIAL), and optionally contains a description element, a
transport-guarantee of NONE will impose no restrictions on the communication protocol used, and an
INTEGRAL value indicates that the data must be read in a way that prevents people from intercepting it The way it is delivered,
although in principle (and in future versions of HTTP) there may be a difference between INTEGRAL and CONFIDENTIAL,
in current practice they both simply require SSL.
Start the server, access the web, and you can see the effect, as shown in the figure below:
Select trust, and go to www.donald.com to access the web.
Many people on the Internet say they have encountered this problem, but I have not encountered it,
usually it is a exception, probably means that APR is not available. If you encounter this exception, it
means that your tomcat does not have apr support installed. For details of apr installation, see: http://www.blogjava.net/yongboy/archive/2009/08/31/293343 Start tomcat after .html
, the problem should be solved, it seems that the effect is no different from the first method.