In order to setup SSL in java web application we need to follow following steps:-
1. First of all generate a certificate by using keytool. Keytool comes with java and is located in bin directory of the JRE. If java has been configured properly it should be directly available via command prompt. Here is an example of its uses.keytool -genkey -keypass password-storepass password-keystore E:\ks.bin
This will generate a certificate named ks.bin which can be used in our web application. When we hit enter on this command it will asks several questions . The questions asked are as follows:-
What is your first name and last name?
What is the name of your organizational unit?
What is the name of your organization?
What is the name of your city or locality?
What is the name of your state or province?
What is the two letter country code for this unit?
After answering all these questions it will ask you to confirm it. Once you confirm it the certificate file will be generated.
2. Configure the tomcat server to use the certificate. In order to configure it open the server.xml file that is located in conf directory of tomcat. Find a SSLEnabled connector. If you haven’t been using SSL before then an example connector is commented in the server.xml file. Uncomment it and make changes as follows or simply use the connector below.
<Connector SSLEnabled="true" clientAuth="false" keystoreFile="e:\\ks.bin" keystorePass="password" maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"/>
Actually, it’s better to put keystore file in tomcat directory and use a relative reference than an absolute reference.
3. Modify web.xml to incorporate SSL in the web application. A sample is given below
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
url-pattern can be modified to limit the pages that are to be SSL secured. In the above example all the pages are SSL secured.
Stumble It!
No comments:
Post a Comment