web应用http转https

网上看到说有两种http转https的方法：

一、tomcat打开8443或443端口以后，修改web.xml配置https做用路径便可实现

二、tomcat打开8443或443端口以后，建立filter类将http转为https

如下介绍的是相对简单的http转https的配置方法，第一种：

1、获取证书（自签名证书或者数字认证中心颁发的证书，这里介绍自签名证书的制做）

一、经过jdk工具生成keystore文件

keytool -genkeypair -alias "MyWebShell" -keyalg "RSA" -keystore "mywebshell.keystore"

二、导出到证书文件-crt文件

keytool -export -alias MyWebShell -file mywebshell.crt -keystore mywebshell.keystore

三、导入证书信息

keytool -import -keystore mywebshell_cacerts -file mywebshell.crt

注：生成证书时的密码必定要记下，下一步会用到。

参考连接：建立自签名证书

2、tomcat开启https相关端口-443或者8443端口

tomcat的conf文件夹下的server.xml文件中添加如下配置便可开通443或者8443端口：

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" keystoreFile="mywebshell.keystore所在目录路径" keystorePass="生成证书时设置的密码" sslProtocol="TLS" />

完整的配置以下（给两个应用配置https服务，应配置两个不一样的https访问端口-443和8443端口，不然其中一个应用将没法进行正常访问）：

<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <GlobalNamingResources>
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>
  <Service name="Catalina">
    <Connector port="8088" protocol="HTTP/1.1"
               connectionTimeout="8000"
               redirectPort="8443" />
	<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" keystoreFile="keystore文件所在目录路径" keystorePass="生成证书时设置的密码" sslProtocol="TLS" />


    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

    <Engine name="Catalina" defaultHost="localhost">

      <Realm className="org.apache.catalina.realm.LockOutRealm">

        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />

      </Host>
    </Engine>
  </Service>
  <Service name="Catalina1">
    <Connector port="8099" protocol="HTTP/1.1"
               connectionTimeout="8000"
               redirectPort="8443" />
			   
	<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" keystoreFile="keystore文件所在目录路径" keystorePass="生成证书时设置的密码" sslProtocol="TLS" />
	
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

	
    <Engine name="Catalina1" defaultHost="localhost">
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps1"
            unpackWARs="true" autoDeploy="true">
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />

      </Host>
    </Engine>
  </Service>
</Server>

以上，便能正常访问tomcat的808八、809九、8443端口了。

3、web应用的web.xml中添加如下代码配置须要https访问的页面

<security-constraint>
        <web-resource-collection>
            <web-resource-name>SSL</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
</security-constraint>

注：/* 表示应用的全部页面都强制https访问

 

最终配置完成以后的结果以下：