命令说明如下
-genkey | 在用户主目录中创建一个默认文件”.keystore”,还会产生一个mykey的别名,mykey中包含用户的公钥、私钥和证书 |
---|---|
-alias | 产生别名 缺省值”mykey” |
-keyalg | 指定密钥的算法 (如 RSA DSA(如果不指定默认采用DSA)) |
-keysize | 指定密钥长度 缺省值1024 |
-keypass | 指定别名条目的密码(私钥的密码) |
-storepass | 指定密钥库的密码(获取keystore信息所需的密码) |
-keystore | 指定密钥库的名称(产生的各类信息将不在.keystore文件中) |
-dname | 指定证书拥有者信息 例如: “CN=名字与姓氏,OU=组织单位名称,O=组织名称,L=城市或区域名称,ST=州或省份名称,C=单位的两字母国家代码” |
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="D:/xx/xx/myserver.jks"
certificateKeystorePassword="123456" type="RSA" />
</SSLHostConfig>
</Connector>
<login-config>
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
src/main/resources/certs/myserver.jks
server:
ssl:
key-store: classpath:certs/myserver.jks
key-store-password: 123456
key-store-type: JKS
servlet:
context-path: /
port: 8443
#配置了则识别http,端口为8081,并且自动转发到https的8443端口,注意如果不配置httpPort,httpPort也不能删除,去除8081即可,否则配置文件加载报错
httpPort: 8081
路径需要说明的是,一般classpath:
开头的表示jar包内路径,而在Spring Boot项目中项目文件夹\src\main\resources
文件夹即可对应为classpath
的根目录。
当然也可以放在jar包外其余位置,例如放在项目文件夹中的ssl文件夹中,那么路径就以file:开头配置:
server.ssl.key-store=file:ssl/ssl.jks
这样就要最后保证生成的jar要和上述ssl文件夹放在同一目录,并保证运行目录就是jar所在目录。
package com.strap.mydemo.config;
import lombok.Data;
import org.apache.catalina.Context;
import org.apache.catalina.connector.Connector;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.boot.web.servlet.server.ServletWebServerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
/**
* <p>https配置</p>
*
* @author strap
*/
@Configuration
@ConfigurationProperties(prefix = "server")
@Data
public class HttpsConfig {
private Integer port;
private Integer httpPort;
public HttpsConfig() {
}
/**
* http自动跳转https,加了此配置,才同时适配http.https访问
* server.httpPort有配置端口时,则开启http,否则只有https
* 注意${server.httpPort}在获取时已经被自动识别为int,如果方法入参不对,运行会报错
*/
@Bean
@ConditionalOnExpression("T(java.util.Objects).nonNull(${server.httpPort}?:null)")
public ServletWebServerFactory servletContainer() {
TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() {
@Override
protected void postProcessContext(Context context) {
SecurityConstraint securityConstraint = new SecurityConstraint();
securityConstraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
securityConstraint.addCollection(collection);
context.addConstraint(securityConstraint);
}
};
tomcat.addAdditionalTomcatConnectors(redirectConnector());
return tomcat;
}
private Connector redirectConnector() {
Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
connector.setScheme("http");
connector.setPort(getHttpPort()); // http:8081转到https:port上
connector.setSecure(false);
connector.setRedirectPort(getPort()); // 配置的https端口
return connector;
}
}
非独立tomcat,内置tomcat ??