Spring Boot中启动HTTPS

获取SSL证书

有两种方式

• 自己通过keytool生成
• 通过证书授权机构购买

这里作为演示，采用keytool生成

输入下面的命令，根据提示输入信息

keytool -genkey -alias tomcat  -storetype PKCS12 -keyalg RSA -keysize 2048  -keystore keystore.p12 -validity 3650

Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

会生成一个PKCS12格式的叫做keystore.p12的证书，之后启动Spring Boot时会引用这个证书

Spring Boot 中开启HTTPS

默认情况下Spring Boot内嵌的Tomcat服务器会在8080端口启动HTTP服务，Spring Boot允许在application.properties中配置HTTP或HTTPS，但是不可同时配置，如果两个都启动，至少有一个要以编程的方式配置，Spring Boot官方文档建议在application.properties中配置HTTPS，因为HTTPS比HTTP更复杂一些，可以参考spring-boot-sample-tomcat-multi-connectors的实例

在application.properties中配置HTTPS

server.port: 8443
server.ssl.key-store: classpath:keystore.p12
server.ssl.key-store-password: mypassword
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat
1
2
3
4
5

这就够了

将HTTP请求重定向到HTTPS（可选）

让我们的应用支持HTTP是个好想法，但是需要重定向到HTTPS，上面说了不能同时在application.properties中同时配置两个connector，所以要以编程的方式配置HTTP connector，然后重定向到HTTPS connector

这需要在配置类中配置一个TomcatEmbeddedServletContainerFactory bean，代码如下

import org.apache.catalina.Context;
import org.apache.catalina.connector.Connector;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory;
import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory;
import org.springframework.context.annotation.Bean;

@SpringBootApplication
public class ServerMain implements CommandLineRunner{   
    @Bean
    public EmbeddedServletContainerFactory servletContainer() {
        TomcatEmbeddedServletContainerFactory tomcat = new TomcatEmbeddedServletContainerFactory() {
            @Override
            protected void postProcessContext(Context context) {
                //Due to CONFIDENTIAL and /*, this will cause Tomcat to redirect every request to HTTPS. 
                //You can configure multiple patterns and multiple constraints if you need more control over what is and is not redirected.

                SecurityConstraint constraint = new SecurityConstraint();
                constraint.setUserConstraint("CONFIDENTIAL");
                SecurityCollection collection = new SecurityCollection();
                collection.addPattern("/*");
                constraint.addCollection(collection);
                context.addConstraint(constraint);
            }
        };
        tomcat.addAdditionalTomcatConnectors(httpConnector());
        return tomcat;

  }
    @Bean
    public Connector httpConnector() {
        Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");

        //Set the scheme that will be assigned to requests received through this connector
        //@param scheme The new scheme
        connector.setScheme("http");

        //Set the port number on which we listen for requests.
        // @param port The new port number
        connector.setPort(80);       

        //Set the secure connection flag that will be assigned to requests received through this connector.
        //@param secure The new secure connection flag
        //if connector.setSecure(true),the http use the http and https use the https;else if connector.setSecure(false),the http redirect to https;
        connector.setSecure(false);

        //redirectPort The redirect port number (non-SSL to SSL)
        connector.setRedirectPort(443);
        return connector;
    }

    public static void main(String[] args) throws Exception {           
        SpringApplication.run(ServerMain.class, args);
    }
    @Override
    public void run(String... arg0) throws Exception {
        // TODO Auto-generated method stub
    }

}

新开了公众号，欢迎关注，主要分享一些读书笔记 

生成安全证书

• 打开cmd（前提是已经配置了java环境变量），输入以下命令

keytool -genkey -alias tomcat
1

• 回车，按照提示输入密码和机构相关信息 
  

将证书.keystore从个人目录（个人目录一般为：C:\Users\你的用户名）拷贝到工程根目录下

 

在配置文件（/src/main/resources/application.properties）中添加如下信息

#默认为443，可以修改为自己需要的端口
server.port=8443
spring.thymeleaf.cache=false
server.ssl.key-store=.keystore
#生成证书时填写的tomcat密码（生成证书时最后一步输入的密码）
server.ssl.key-password=123456789
server.ssl.key-store-type=JKS
server.ssl.key-alias=tomcat
1
2
3
4
5
6
7
8

启动服务器，如果有以下内容，表示配置成功

浏览器访问（本人使用360访问不到，不知道什么原因。使用IE可以访问）

1、到阿里云下载证书页面下载证书

2、根据页面内容，可以使用2种证书：PFX JKS

把对应证书放到src/main/resources目录下

在application.properties文件中加入配置

PFX：

server.ssl.key-store: classpath:666.pfx
server.ssl.key-store-password: 证书密码
server.ssl.keyStoreType: PKCS12

JKS：

server.ssl.key-store: classpath:666.jks
server.ssl.key-store-password: 证书密码

设置后即可使用HTTPS访问

3、一个问题：原来使用http的时候，端口号设置为80，然后可以通过（域名）和（域名:80）2种方式访问；但是改成https之后，就不能了

这是因为https使用的是SSL，SSL的默认端口是443，所以不能直接用域名访问

所以只需要配置

server.port=443

就可以用域名访问了