Welcome to EMC Consulting Blogs Sign in | Join | Help

Richard Tiffin's blog

Applying SSL to a Spring Web-application on Tomcat

Applying SSL to a Spring Web-application running on Tomcat

Configuring a Spring web application to use SSL is as relatively straightforward task now thanks to Spring Security 3, teamed the ease in which SSL can be configured within Tomcat you can now be up and running with a working SSL development server in a short space of time.

For this tutorial I’m using Tomcat 6.0.29, you may need to do more or less to configure other versions of Tomcat particularly in respect to disabling the APR (Apace Portable Runtime) native security within Tomcat which is necessary as this example does not use Open SSL which could be implemented on a production environment.

In this tutorial I’ll cove setting up SSL in two stages, 1. Configuring Tomcat to run over SSL and 2. Configuring SSL redirects via Spring Security

Configuring Tomcat to run over SSL

  1. Generating a keystore file (Self Certification)
    The keystore file is the one which would store the details of the certificates necessary to make the protocol secured, to-do this we'll use the keytool provided as part of JDK 1.6, the following should create the keystore :-

    From your Java installation directory %JAVA_HOME%/bin

    - keytool -genkey -alias emc -keypass password -keystore emc_tomcat.bin -storepass password

  2. Configuring Tomcat to use the keystore file
    Open the file server.xml which can be found as: <CATALINA_HOME>/conf/server.xml

    Find the connector port definition which may be un-commented if needed and change it to:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keystoreFile="emc_tomcat.bin"
    keystorePass="password" />


  3. Disabling APR
    You may or may not need to-do this I found I did with Tomcat 6.0.29 on windows but this will differ for unix installations, but deleting tcnative-1.dll from the <CATALINA_HOME>/bin if exists will disable the native APR support within Tomcat

Configuring SSL redirects via Spring Security

The key components needed to configure a Spring web-app are a channel processing filter which handles the redirection between secure and un secure pages and can also be used to define url's within the application that require https. The port mappings to define the ports Tomcat is running SSL over and finally you can configure specific url's to use specified channels via http configuration.

 <?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:util="http://www.springframework.org/schema/util"
    xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                           http://www.springframework.org/schema/util
                           http://www.springframework.org/schema/util/spring-util-3.0.xsd
                           http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <security:http auto-config="true">
        <security:intercept-url pattern="/styles/**" filters="none"/>
        <security:intercept-url pattern="/admin/**" access="ROLE_SUPERADMIN, ROLE_STANDARD" requires-channel="https"/>
        <security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https"/>
        <security:intercept-url pattern="/**" requires-channel="any" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        
        <security:form-login login-page="/login.dhtml" authentication-failure-url="/login_fail.dhtml?error=1"/>
        <security:logout logout-url="/j_spring_security_logout" logout-success-url="/login.dhtml"/>
        
        <security:port-mappings>
            <security:port-mapping http="8090" https="8443"/>
            <security:port-mapping http="8080" https="8443"/>
        </security:port-mappings>
    </security:http>
    
     <bean id="channelProcessingFilter" class="org.springframework.security.web.access.channel.ChannelProcessingFilter">
        <property name="channelDecisionManager">
            <bean class="org.springframework.security.web.access.channel.ChannelDecisionManagerImpl">
                <property name="channelProcessors">
                    <util:list>
                        <bean class="org.springframework.security.web.access.channel.SecureChannelProcessor"/>
                        <bean class="org.springframework.security.web.access.channel.InsecureChannelProcessor"/>
                    </util:list>
                </property>
            </bean>
        </property>
        <property name="securityMetadataSource">
            <bean class=" org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource">
                <constructor-arg>
                    <bean class="org.springframework.security.web.util.AntUrlPathMatcher"/>
                </constructor-arg>
                <constructor-arg>
                    <util:map map-class="java.util.LinkedHashMap">
                        <entry>
                            <key>
                                <bean class="org.springframework.security.web.access.intercept.RequestKey">
                                    <constructor-arg value="/admin/**/**"/>
                                </bean>
                            </key>
                            <util:list>
                        <bean class="org.springframework.security.access.SecurityConfig">
                            <constructor-arg value="REQUIRES_SECURE_CHANNEL"/>
                        </bean>
                    </util:list>
                        </entry>
                        <entry>
                            <key>
                                <bean class="org.springframework.security.web.access.intercept.RequestKey">
                                    <constructor-arg value="/**"/>
                                </bean>
                            </key>
                            <util:list>
                        <bean class="org.springframework.security.access.SecurityConfig">
                            <constructor-arg value="REQUIRES_INSECURE_CHANNEL"/>
                        </bean>
                    </util:list>
                        </entry>
                    </util:map>
                </constructor-arg>
            </bean>
    </property>
</bean>

</beans>

 

Published Friday, October 15, 2010 2:27 PM by richard.tiffin

Comments

 

Grace.Mollison said:

I wondered how the spring side of things worked and now I know :-)

October 16, 2010 7:23 PM
Anonymous comments are disabled
Powered by Community Server (Personal Edition), by Telligent Systems