配置tomcat7的https证书
配置pfx证书
server.xml
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true" enablelookups="false" disableUploadTimeout="true" acceptCunt="100" maxhttpHeaderSize="8192" minSpareThreads="25" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12" keystoreFile="cert\zhengshu.pfx" keystorePass="123456" />
注意:对于启用APR情况下protocol不能使用HTTP/1.1,否则会报异常:java.lang.Exception: Connector attribute SSLCertificateFile must be defined when using SSL with APR。
keystoreFile为证书路径,在tomcat_home目录下可以直接写cert/zhengshu.pfx、conf\https.keystore,如:/tomcat/cert/zhengshu.pfx
另外,服务器可能存在TLS Client-initiated 重协商攻击
要求使用NIO connector代替BIO connector, 因为NIO不支持重协商,但有可能会影响服务器性能
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" enablelookups="false" disableUploadTimeout="true" acceptCunt="100" maxhttpHeaderSize="8192" minSpareThreads="25" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12" keystoreFile="conf\https.keystore" keystorePass="Aa@123456" />
http自动转https访问
web.xml
在welcome-file-list节点后添加以下
<login-config> <!-- Authorization setting for SSL --> <auth-method>CLIENT-CERT</auth-method> <realm-name>Client Cert Users-only Area</realm-name> </login-config> <security-constraint> <!-- Authorization setting for SSL --> <web-resource-collection > <!-- 项目名称 --> <web-resource-name>SSL</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
骑着母猪去打猎的备忘录,如有侵权请联系本人骑着母猪去打猎删除。https://www.cnblogs.com/shichq/p/16363133.html
如果本文对您有所帮助,麻烦在下面评论里面随便敲上那么几下键盘,谢谢了