java tomcat 搭建SSL雙向認證以及httpclient代碼
一、生成密鑰庫和證書
可參考以下密鑰生成腳本,根據實際情況做必要的修改,其中需要注意的是:服務端的密鑰庫參數“CN”必須與服務端的IP地址相同,否則會報錯,客戶端的任意。
key.script
1 、生成服務器證書庫
keytool -validity 365 -genkey -v -alias server -keyalg RSA -keystore /opt/web/ssl/server.keystore -dname "CN=localhost,OU=sumscope,O=sumscope,L=Pudong,ST=Shanghai,c=com" -storepass 111111 -keypass 111111
2 、生成客戶端證書庫
keytool -validity 365 -genkeypair -v -alias client -keyalg RSA -storetype PKCS12 -keystore /opt/web/ssl/client.p12 -dname "CN=client,OU=sumscope,O=sumscope,L=Pudong,ST=Shanghai,c=com" -storepass 222222 -keypass 222222
3 、從客戶端證書庫中導出客戶端證書
keytool -export -v -alias client -keystore /opt/web/ssl/client.p12 -storetype PKCS12 -storepass 222222 -rfc -file /opt/web/ssl/client.cer
4 、從服務器證書庫中導出服務器證書
keytool -export -v -alias server -keystore /opt/web/ssl/server.keystore -storepass 111111 -rfc -file /opt/web/ssl/server.cer
5 、生成客戶端信任證書庫(由服務端證書生成的證書庫)
keytool -import -v -alias server -file /opt/web/ssl/server.cer -keystore /opt/web/ssl/client.truststore -storepass 222222
6 、將客戶端證書導入到服務器證書庫(使得服務器信任客戶端證書)
keytool -import -v -alias client -file /opt/web/ssl/client.cer -keystore /opt/web/ssl/server.keystore -storepass 111111
7 、查看證書庫中的全部證書
keytool -list -keystore /opt/web/ssl/server.keystore -storepass 111111
二、Tomat配置
使用文本編輯器編輯${catalina.base}/conf/server.xml
找到Connector port="8443"的標籤,取消註釋,並修改成如下:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="SSL"
keystoreFile="/opt/web/ssl/server.keystore" keystorePass="111111"
truststoreFile="/opt/web/ssl/server.keystore" truststorePass="111111" />
備註:
keystoreFile:指定服務器密鑰庫,可以配置成絕對路徑,如“/opt/web/ssl/server.keystore”。
keystorePass:密鑰庫生成時的密碼
truststoreFile:受信任密鑰庫,和密鑰庫相同即可
truststorePass:受信任密鑰庫密碼
三、建立演示項目
項目結構圖:
項目名稱:SSL(隨意)
1. SSLServlet.java
package ian.wang.ssl.servlet;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.security.cert.X509Certificate;
public class SSLServlet extends HttpServlet {
private static final String ATTR_CER = "javax.servlet.request.X509Certificate";
private static final String CONTENT_TYPE = "text/plain;charset=UTF-8";
private static final String DEFAULT_ENCODING = "UTF-8";
private static final String SCHEME_HTTPS = "https";
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType(CONTENT_TYPE);
response.setCharacterEncoding(DEFAULT_ENCODING);
PrintWriter out = response.getWriter();
out.println("cmd=["+request.getParameter("cmd")+"], data=["+request.getParameter("data")+"]");
X509Certificate[] certs = (X509Certificate[]) request.getAttribute(ATTR_CER);
if (certs != null) {
int count = certs.length;
out.println("共檢測到[" + count + "]個客戶端證書");
for (int i = 0; i < count; i++) {
out.println("客戶端證書 [" + (++i) + "]: ");
out.println("校驗結果:" + verifyCertificate(certs[--i]));
out.println("證書詳細:\r" + certs[i].toString());
}
} else {
if (SCHEME_HTTPS.equalsIgnoreCase(request.getScheme())) {
out.println("這是一個HTTPS請求,但是沒有可用的客戶端證書");
} else {
out.println("這不是一個HTTPS請求,因此無法獲得客戶端證書列表 ");
}
}
out.close();
}
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doGet(request, response);
}
private boolean verifyCertificate(X509Certificate certificate) {
boolean valid = false;
try {
certificate.checkValidity();
valid=true;
} catch (Exception e) {
e.printStackTrace();
}
return valid;
}
}
2. web.xml
說明:該演示項目強制使用了SSL,即普通的HTTP請求也會強制重定向爲HTTPS請求,配置在最下面,可以去除,這樣HTTP和HTTPS都可以訪問。
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<servlet>
<servlet-name>SSLServlet</servlet-name>
<servlet-class>ian.wang.ssl.servlet.SSLServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SSLServlet</servlet-name>
<url-pattern>/sslServlet</url-pattern>
</servlet-mapping>
<!-- 強制SSL配置,即普通的請求也會重定向爲SSL請求 -->
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>/*</url-pattern> <!-- 全站使用SSL -->
</web-resource-collection>
<user-data-constraint>
<description>SSL required</description>
<!-- CONFIDENTIAL: 要保證服務器和客戶端之間傳輸的數據不能夠被修改,且不能被第三方查看到 -->
<!-- INTEGRAL: 要保證服務器和client之間傳輸的數據不能夠被修改 -->
<!-- NONE: 指示容器必須能夠在任一的連接上提供數據。(即用HTTP或HTTPS,由客戶端來決定) -->
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
3. index.jsp
<%@ page language="java" pageEncoding="UTF-8"%>
<!doctype html>
<html lang="zh-cn">
<head>
<title>客戶端證書上傳</title>
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="expires" content="0">
</head>
<body>
<form action="sslServlet" method="post">
<input type="submit" value="提交證書"/>
</form>
</body>
</html>
四、演示及配置
發佈演示項目,通過瀏覽器訪問: http://127.0.0.1:8080/SSL 或 https://127.0.0.1:8443/SSL ,提示無法訪問,需要導入客戶端SSL證書:
雙擊“client.p12”或在瀏覽器的工具,輸入生成密鑰時的客戶端密碼“222222”,刷新瀏覽器即可正常訪問了。
五、HttpClient模擬SSL Post請求
1. HttpClientUtil.java
package ian.wang.ssl.util;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair;
import org.apache.http.client.HttpClient;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.util.EntityUtils;
import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;
import java.security.KeyStore;
import java.util.*;
public class HttpClientUtil {
private static final String KEY_STORE_TYPE_JKS = "jks";
private static final String KEY_STORE_TYPE_P12 = "PKCS12";
private static final String SCHEME_HTTPS = "https";
private static final int HTTPS_PORT = 8443;
private static final String HTTPS_URL = "https://localhost:8443/sslServlet";
private static final String KEY_STORE_CLIENT_PATH = "/opt/web/ssl/client.p12";
private static final String KEY_STORE_TRUST_PATH = "/opt/web/ssl/client.truststore";
private static final String KEY_STORE_PASSWORD = "222222";
private static final String KEY_STORE_TRUST_PASSWORD = "222222";
public static void main(String[] args){
String url=HTTPS_URL;
Map params=new HashMap();
params.put("cmd","test");
params.put("data","證書1");
String charset="utf-8";
doSSLPost( url, params, charset);
}
private static void doSSLPost(String url, Map<String, String> map, String charset) {
HttpClient httpClient = new DefaultHttpClient();
String result = null;
try {
KeyStore keyStore = KeyStore.getInstance(KEY_STORE_TYPE_P12);
KeyStore trustStore = KeyStore.getInstance(KEY_STORE_TYPE_JKS);
InputStream ksIn = new FileInputStream(KEY_STORE_CLIENT_PATH);
InputStream tsIn = new FileInputStream(new File(KEY_STORE_TRUST_PATH));
try {
keyStore.load(ksIn, KEY_STORE_PASSWORD.toCharArray());
trustStore.load(tsIn, KEY_STORE_TRUST_PASSWORD.toCharArray());
} finally {
try {
ksIn.close();
} catch (Exception ignore) {
}
try {
tsIn.close();
} catch (Exception ignore) {
}
}
SSLSocketFactory socketFactory = new SSLSocketFactory(keyStore, KEY_STORE_PASSWORD, trustStore);
Scheme sch = new Scheme(SCHEME_HTTPS, HTTPS_PORT, socketFactory);
httpClient.getConnectionManager().getSchemeRegistry().register(sch);
HttpPost httpPost = new HttpPost(url);
//設置參數
if (map != null) {
List<NameValuePair> list = new ArrayList<NameValuePair>();
Iterator iterator = map.entrySet().iterator();
while (iterator.hasNext()) {
Map.Entry<String, String> elem = (Map.Entry<String, String>) iterator.next();
list.add(new BasicNameValuePair(elem.getKey(), elem.getValue()));
}
httpPost.setEntity(new UrlEncodedFormEntity(list, charset));
}
HttpResponse response = httpClient.execute(httpPost);
if (response != null) {
HttpEntity resEntity = response.getEntity();
if (resEntity != null) {
result = EntityUtils.toString(resEntity, charset);
}
}
System.out.println("result={" + result + "}");
}catch(Exception e){
e.printStackTrace();
} finally {
httpClient.getConnectionManager().shutdown();
}
}
}
六、使用瀏覽器訪問 https應用截圖
1. 打開瀏覽器,訪問測試網址:https://101.231.124.155:8443/ssl , 由於該應用配置了 Tomcat SSL雙向認證,需要客戶端提供證書文件導入成功了,才能正常訪問。在Firefox 瀏覽器中,導入客戶端證書, 在 Firefox 選項 - 高級 - 證書 中, 點擊 查看證書。