这个需求是我目前做的项目被网安评测的时候,一个漏洞的解决方案。使用SpringBoot内置Tomcat启动应用程序为http协议访问,应网安需求修改为https://协议访问项目,网络搜索出了两种解决方案,一种为使用JDK本地程序生成SSL证书,部署到SpringBoot项目上,一种使用云服务商提供的SSL证书,但是云服务器商提供证书需要域名校验,无法应用在localhost项目上面,故而选择第一种使用JDK本地生成SSL证书,如果浏览器弹框显示不安全就将证书部署在浏览器上面
keytool -genkey -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore zijingkeji.p12 -validity 3650
关键字解释
在输入证书生成命令之后,会提示输入:
#服务器端口
server:
servlet:
context-path: /
port: 8003
# SSL证书配置
ssl:
enabled: true
key-store: classpath:zijingkeji.p12 # (密钥文件路径,也可以配置绝对路径)
key-store-password: zjkj123 # (密钥生成时输入的密钥库口令)
key-store-type: PKCS12 #(密钥类型,与密钥生成命令一致)
key-alias: tomcat #(密钥别名,与密钥生成命令一致)
DerInputStream.getLength(): lengthTag=111, too big.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
<configuration>
<encoding>UTF-8</encoding>
<nonFilteredFileExtensions>
<!-- 避免 https 证书文件被修改 -->
<nonFilteredFileExtension>p12</nonFilteredFileExtension>
<nonFilteredFileExtension>pkcs12</nonFilteredFileExtension>
</nonFilteredFileExtensions>
</configuration>
</plugin>
启动后访问浏览器 127.0.0.1:8080 会提示 Bad Request,为什么呢?
HTTPS://localhost:80003
。package com.zj.service.portal.config;
import org.apache.catalina.Context;
import org.apache.catalina.connector.Connector;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
/**
* Software:IntelliJ IDEA 2020.2.3 x64
* Author: MoBai·杰
* Date: 2020/11/19 9:05
* ClassName:SSLConfig
* ClassDescribe: SSL配置类
*/
@Configuration
public class SslConfig {
@Bean
public Connector connector() {
Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
// Connector监听的http的端口号
connector.setScheme("http");
connector.setPort(8002);
connector.setSecure(false);
// 监听到http的端口号后转向到的https的端口号
connector.setRedirectPort(8003);
return connector;
}
@Bean
public TomcatServletWebServerFactory servletContainer() {
// 对http请求添加安全性约束,将其转换为https请求
TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() {
@Override
protected void postProcessContext(Context context) {
SecurityConstraint securityConstraint = new SecurityConstraint();
securityConstraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
securityConstraint.addCollection(collection);
context.addConstraint(securityConstraint);
}
};
tomcat.addAdditionalTomcatConnectors(connector());
return tomcat;
}
}
启动后,浏览器访问 http://127.0.0.1:8002 会发现会自动重定向到 https://127.0.0.1:8003