DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
View Events Video Library
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Integrating PostgreSQL Databases with ANF: Join this workshop to learn how to create a PostgreSQL server using Instaclustr’s managed service

Mobile Database Essentials: Assess data needs, storage requirements, and more when leveraging databases for cloud and edge applications.

Monitoring and Observability for LLMs: Datadog and Google Cloud discuss how to achieve optimal AI model performance.

Automated Testing: The latest on architecture, TDD, and the benefits of AI and low-code tools.

Related

  • Deploy Spring Boot Apps From Jar to War
  • Creating Application using Spring Roo and Deploying on Google App Engine
  • Enterprise RIA With Spring 3, Flex 4 and GraniteDS
  • Migrating Spring Java Applications to Azure App Service (Part 1: DataSources and Credentials)

Trending

  • Auto-Scaling DynamoDB Streams Applications on Kubernetes
  • Chronicle Services: Low Latency Java Microservices Without Pain
  • Performance Optimization Strategies in Highly Scalable Systems
  • Cognitive AI: The Road To AI That Thinks Like a Human Being
  1. DZone
  2. Coding
  3. Frameworks
  4. Securing Your Tomcat App with SSL and Spring Security

Securing Your Tomcat App with SSL and Spring Security

Roger Hughes user avatar by
Roger Hughes
·
Dec. 14, 12 · Tutorial
Like (0)
Save
Tweet
Share
39.05K Views

Join the DZone community and get the full member experience.

Join For Free

 If you've seen my last blog, you'll know that I listed ten things that you can do with Spring Security. However, before you start using Spring Security in earnest one of the first things you really must do is to ensure that your web app uses the right transport protocol, which in this case is HTTPS - after all there's no point in having a secure web site if you're going to broadcast your user's passwords all over the internet in plain text. To setup SSL there are three basic steps...

Creating a Key Store

The first thing you need is a private keystore containing a valid certificate and the simplest way to generate one of these is to use Java's keytool utility located in the $JAVA_HOME/bin directory.

keytool -genkey -alias MyKeyAlias -keyalg RSA -keystore /Users/Roger/tmp/roger.keystore


In the above example,

  • -alias is the unique identifier for your key.

  • -keyalg is the algorithm used to generate the key. Most examples you find on the web usually cite 'RSA', but you could also use 'DSA' or 'DES'
  • -keystore is an optional argument specifying the location of your key store file. If this argument is missing then the default location is your $HOME directory.


RSA stands for Ron Rivest (also the creator of the RC4 algorithm), Adi Shamir and Leonard Adleman
DSA stands for Digital Signature Algorithm
DES stands for Data Encryption Standard
For more information on keytool and its arguments take a look at this Informit article by Jon Svede
When you run this program you'll be asked a few questions:
Roger$ keytool -genkey -alias MyKeyAlias -keyalg RSA -keystore /Users/Roger/tmp/roger.keystore
Enter keystore password: 
Re-enter new password:
What is your first and last name?
  [Unknown]:  localhost
What is the name of your organizational unit?
  [Unknown]:  MyDepartmentName
What is the name of your organization?
  [Unknown]:  MyCompanyName
What is the name of your City or Locality?
  [Unknown]:  Stafford
What is the name of your State or Province?
  [Unknown]:  NA
What is the two-letter country code for this unit?
  [Unknown]:  UK
Is CN=localhost, OU=MyDepartmentName, O=MyCompanyName, L=Stafford, ST=UK, C=UK correct?
  [no]:  Y

Enter key password for 
     (RETURN if same as keystore password): 

Most of the fields are self explanatory; however for the first and second name values, I generally use the machine name - in this case localhost.

Updating the Tomcat Configuration

The second step in securing your app is to ensure that your tomcat has an SSL connector. To do this you need to find tomcat's server.xml configuration file, which is usually located in the 'conf' directory. Once you've got hold of this and if you're using tomcat, then it's a matter of uncommenting:

…and making it look something like this:

<Connector SSLEnabled="true" keystoreFile="/Users/Roger/tmp/roger.keystore" keystorePass="password" port="8443" scheme="https" secure="true" sslProtocol="TLS"/> 

Note that the password "password" is in plain text, which isn't very secure. There are ways around this, but that's beyond the scope of this blog.
If you're using Spring's tcServer, then you'll find that it already has a SSL connector that's configured something like this:
<Connector SSLEnabled="true" acceptCount="100" connectionTimeout="20000" executor="tomcatThreadPool" keyAlias="tcserver" keystoreFile="${catalina.base}/conf/tcserver.keystore" keystorePass="changeme" maxKeepAliveRequests="15" port="${bio-ssl.https.port}" protocol="org.apache.coyote.http11.Http11Protocol" redirectPort="${bio-ssl.https.port}" scheme="https" secure="true"/>

…in which case it's just a matter of editing the various fields including keyAlias, keystoreFile and keystorePass.

Configuring your App

If you now start tomcat and run your web application, you'll now find that it's accessible using HTTPS. For example typing https://localhost:8443/my-app will work, but so will http://localhost:8080/my-app This means that you also need to do some jiggery-pokery on your app to ensure that it only responds to HTTPS and there are two approaches you can take.

If you're not using Spring Security, then you can simply add the following to your web.xml before the last web-app tag:

If you are using Spring Security, then there are a few more steps to getting things going. Part of the general Spring Security setup is to add the following to your web.xml file. Firstly you need to add a Spring Security application context file to the contextConfigLocation context-param:

<context-param>
          <param-name>contextConfigLocation</param-name>
          <param-value>/WEB-INF/spring/root-context.xml
           /WEB-INF/spring/appServlet/application-security.xml           
          </param-value>
     </context-param>

Secondly, you need to add the Spring Security filter and filter-mapping:
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

Lastly, you need to create, or edit, your application-security.xml as shown in the very minimalistic example below:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
  xmlns:beans="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security
           http://www.springframework.org/schema/security/spring-security-3.1.xsd">

       <http auto-config='true' >
          <intercept-url pattern="/**" requires-channel="https" />    
       </http>

       <authentication-manager>
       </authentication-manager>

</beans:beans>

In the example above intercept-url element has been set up intercept all URLs and force them to use the https channel.

The configuration details above may give the impression that it's quicker to use the simple web.xml config change, but if you're already using Spring Security, then it's only a matter of adding a requires-channel attribute to your existing configuration.


A sample app called tomcat-ssl demonstrating the above is available on git hub at: https://github.com/roghughe/captaindebug
Spring Security app Spring Framework Apache Tomcat

Published at DZone with permission of Roger Hughes, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Deploy Spring Boot Apps From Jar to War
  • Creating Application using Spring Roo and Deploying on Google App Engine
  • Enterprise RIA With Spring 3, Flex 4 and GraniteDS
  • Migrating Spring Java Applications to Azure App Service (Part 1: DataSources and Credentials)

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: