tomcat多工程SSL双向认证的实现（每个端口对应一个工程，每个工程有各自双向的证书）

本例适用的情况是：相同地址，不同端口，每个端口对应一个工程，每个工程有各自双向的证书

    有两个工程：WEBAPP_ONE，WEBAPP_TWO

1、分别创建两个工程的客户端和服务端的证书，关于证书的生成请参考 双向证书生成

2、找到tomcat的主目录，打开conf文件夹，找到并打开server.xml文件。

3、复制一个Service（<Service>...</Service>之间的内容），将Service中的HTTPS的注释去掉，并添加双向认证证书的相关信息。

4、在<Host>下增加，<Context path="" docBase="/WEBAPP_ONE"/>。其中path为空，表示访问地址的根目录，即https://xxx.xxx.xxx:8443/xxx。可以根据自己项目的需要，配置path，添加多级目录。例如<Context path="/abc" docBase="/WEBAPP_ONE"/>，那么，访问路径就会变成https://xxx.xxx.xxx:8443/abc/xxx

注意事项：

1、服务器的keystore文件不要存储多个客户端的证书，否则，会导致拥有其他客户端证书的一方，可以访问非该客户端证书对应的工程内容

2、项目不要放在tomcat的webapps的根目录下，因为即使配置<Context >的path，可以直接通过项目名访问工程。也就是说通过https://xxx.xxx.xxx:8443/xxx和https://xxx.xxx.xxx:8443/abc/xxx都可以访问，这个肯定是和部署的需求相违背的。所以在webapps下再创建一级目录，将工程置于此，这样就只会通过path设置的方式进行访问了

============================================================================

server.xml的Service配置如下：

<Service name="Catalina">

    <Connector port="8081" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />

	<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"  
           maxThreads="150" scheme="https" secure="true"  
           clientAuth="true" sslProtocol="TLS"  
           keystoreFile="D:\\tomcat.keystore" keystorePass="server123456"  
           truststoreFile="D:\\tomcat.keystore" truststorePass="server123456" />

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8309" protocol="AJP/1.3" redirectPort="8443" />

    <Engine name="Catalina" defaultHost="localhost">


      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

			<Context path="/WEBAPPONE" docBase="/APP/WEBAPP_ONE"/>

        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t "%r" %s %b" />

      </Host>
    </Engine>
  </Service>

  <Service name="Catalina1">

    <Connector port="8082" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="9443" />

	<Connector port="9443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"  
           maxThreads="150" scheme="https" secure="true"  
           clientAuth="true" sslProtocol="TLS"  
           keystoreFile="D:\\tomcat123.keystore" keystorePass="server123456"  
           truststoreFile="D:\\tomcat123.keystore" truststorePass="server123456" />

    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8310" protocol="AJP/1.3" redirectPort="9443" />

    <Engine name="Catalina1" defaultHost="localhost">


      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

	  <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

			<Context path="/WEBAPPTWO" docBase="/APP/WEBAPP_TWO"/>

        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t "%r" %s %b" />

      </Host>
    </Engine>
  </Service>