原文:开发基于JBoss AS 7.2.0的Java EE程序 - 04.如何配置SSL
英文:JBoss AS 7.2.0 - Java EE application development - 04.How to configure SSL
概述
我们使用SSL确保 那些包含敏感信息(比如用户密码等私有信息)的页面 的安全传输。而对于那些常规的页面,我们尽量采用非SSL传输方式。比如说,用户登陆的时候,我们强制登陆页面的Scheme为HTTPS,而登陆之后跳 转到对安全没有要求一般页面,其Scheme为HTTP。至于如何跳转,我们在后续的文章中会描述。
1.standalone.xml 配置
请尤其注意蓝色部分。
<?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:1.4">
...
<management>
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
<security-realm name="ApplicationRealm">
<server-identities>
<ssl>
<keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="ybxiang_keystore_password"/>
</ssl>
</server-identities>
<authentication>
<jaas name="ybxiang-forum-jaas-security-domain"/>
</authentication>
</security-realm>
</security-realms>
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket-binding native="management-native"/>
</native-interface>
<http-interface security-realm="ManagementRealm">
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
</management>
这一部分是为 EJB 配置的SSL。
<profile>
...
<subsystem xmlns="urn:jboss:domain:web:1.4" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl password="ybxiang_keystore_password" certificate-key-file="../standalone/configuration/server.keystore" protocol="TLSv1" verify-client="false" certificate-file="../standalone/configuration/server.keystore"/>
</connector>
<connector name="management-https" protocol="HTTP/1.1" scheme="https" socket-binding="management-https" secure="true">
<ssl password="ybxiang_keystore_password" certificate-key-file="../standalone/configuration/server.keystore" protocol="TLSv1" verify-client="false" certificate-file="../standalone/configuration/server.keystore"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="false">
<alias name="localhost"/>
<alias name="javaarm.com"/>
</virtual-server>
</subsystem>
...
</profile>
这是为HTTP配置的SSL。
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>
<socket-binding name="ajp" port="8009"/>
<socket-binding name="http" port="80"/>
<socket-binding name="https" port="443"/>
<socket-binding name="jacorb" interface="unsecure" port="3528"/>
<socket-binding name="jacorb-ssl" interface="unsecure" port="3529"/>
<socket-binding name="messaging" port="5445"/>
...
</server>
上述代码把http端口设置为标准的80,把https端口设置为标准的443。
2. 创建 server.keystore
参见: 链接。
现在我们用JDK keytool创建各种密钥库:
rem # 1. generate server.keystore
keytool -genkey -alias server -keyalg RSA -keystore server.keystore -storepass ybxiang_keystore_password -keypass ybxiang_keystore_password -dname "CN=112.65.245.231, OU=javaarm.com, O=JAVAARM-XIANG, L=Shanghai, ST=Shanghai, C=CN" -validity 3650
rem # 2. export server.cer from server.keystore
keytool -export -alias server -keystore server.keystore -storepass ybxiang_keystore_password -file server.cer
rem # 3. generate client.truststore
keytool -import -v -keystore client.truststore -storepass ybxiang_truststore_password -file server.cer
其中
CN: What is your first and last name?
OU: What is the name of your organizational unit?
O: What is the name of your organization?
L: What is the name of your City or Locality?
ST: What is the name of your State or Province?
C: What is the two-letter country code for this unit?
我们得到:
- server.keystore
- server.cer
- client.truststore
把server.keystore拷贝到D:\java\jboss-as-7.2.0.Final\standalone\configuration目录下。
(把client.truststore 拷贝到EJB 客户端程序所在目录,该密钥供EJB客户端使用。 )
3. ybxiang-forum-war的web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
...
<!-- 1. Public Resources -->
...
<!-- 2. CONFIDENTIAL resources -->
<security-constraint>
<web-resource-collection>
<web-resource-name>CONFIDENTIAL resources - logged in user</web-resource-name>
<description>CONFIDENTIAL resources - logged in user</description>
<url-pattern>/faces/login-https.xhtml</url-pattern>
<url-pattern>/faces/console/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>CONFIDENTIAL resources - guest</web-resource-name>
<description>CONFIDENTIAL resources - guest</description>
<url-pattern>/faces/register.xhtml</url-pattern>
<url-pattern>/faces/login-form.xhtml</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>*</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/faces/login-form.xhtml</form-login-page>
<form-error-page>/faces/login-fail.xhtml</form-error-page>
</form-login-config>
</login-config>
</web-app>
现在如果你用浏览器访问 http://javaarm.com/faces/register.xhtml,你就会被自动重定向到 https://javaarm.com/faces/register.xhtml
Comments