本例適用的情況是:相同地址,不同端口,每個端口對應一個工程,每個工程有各自雙向的證書
有兩個工程:WEBAPP_ONE,WEBAPP_TWO
1、分別創建兩個工程的客戶端和服務端的證書,關於證書的生成請參考 雙向證書生成
2、找到tomcat的主目錄,打開conf文件夾,找到並打開server.xml文件。
3、複製一個Service(<Service>...</Service>之間的內容),將Service中的HTTPS的註釋去掉,並添加雙向認證證書的相關信息。
4、在<Host>下增加,<Context path="" docBase="/WEBAPP_ONE"/>。其中path爲空,表示訪問地址的根目錄,即https://xxx.xxx.xxx:8443/xxx。可以根據自己項目的需要,配置path,添加多級目錄。例如<Context path="/abc" docBase="/WEBAPP_ONE"/>,那麼,訪問路徑就會變成https://xxx.xxx.xxx:8443/abc/xxx
注意事項:
1、服務器的keystore文件不要存儲多個客戶端的證書,否則,會導致擁有其他客戶端證書的一方,可以訪問非該客戶端證書對應的工程內容
2、項目不要放在tomcat的webapps的根目錄下,因爲即使配置<Context >的path,可以直接通過項目名訪問工程。也就是說通過https://xxx.xxx.xxx:8443/xxx和https://xxx.xxx.xxx:8443/abc/xxx都可以訪問,這個肯定是和部署的需求相違背的。所以在webapps下再創建一級目錄,將工程置於此,這樣就只會通過path設置的方式進行訪問了
============================================================================
server.xml的Service配置如下:
<Service name="Catalina">
<Connector port="8081" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="D:\\tomcat.keystore" keystorePass="server123456"
truststoreFile="D:\\tomcat.keystore" truststorePass="server123456" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8309" protocol="AJP/1.3" redirectPort="8443" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Context path="/WEBAPPONE" docBase="/APP/WEBAPP_ONE"/>
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
<Service name="Catalina1">
<Connector port="8082" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="9443" />
<Connector port="9443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="D:\\tomcat123.keystore" keystorePass="server123456"
truststoreFile="D:\\tomcat123.keystore" truststorePass="server123456" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8310" protocol="AJP/1.3" redirectPort="9443" />
<Engine name="Catalina1" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Context path="/WEBAPPTWO" docBase="/APP/WEBAPP_TWO"/>
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>